| Security Issues and Fixes: 192.168.1.4 |
| Type |
Port |
Issue and Fix |
| Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
| Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
| Informational |
general/tcp |
The remote host is up
Nessus ID : 10180 |
| Informational |
general/tcp |
Nmap found that this host is running FreeBSD 5.2-CURRENT (Jan 2004) on x86
Nessus ID : 10336 |
| Informational |
general/tcp |
HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890 |
| Informational |
general/tcp |
The remote host is running FreeBSD 5.1
Nessus ID : 11936 |
| Warning |
echo (7/tcp) |
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.
This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.
Solution :
- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061 |
| Warning |
echo (7/tcp) |
The remote host has a bug in its 'inetd' server. 'inetd' is the
'internet super-server' and is in charge of managing multiple sub-servers
(like telnet, ftp, chargen, and more).
There is a bug in the inetd server that comes with RedHat 6.2, which allows
an attacker to prevent it from working completely by forcing it to consume
system resources.
Solution : Upgrade to inetd-0.16-7
Risk factor : Medium
CVE : CVE-2001-0309
BID : 2395
Nessus ID : 11006 |
| Informational |
echo (7/tcp) |
An echo server is running on this port
Nessus ID : 10330 |
| Warning |
echo (7/udp) |
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.
This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.
Solution :
- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061 |
| Warning |
discard (9/tcp) |
The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.
This service is unused these days, so it is advised that you
disable it.
Solution :
- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CAN-1999-0636
Nessus ID : 11367 |
| Warning |
daytime (13/tcp) |
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.
The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.
In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.
Solution :
- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052 |
| Warning |
daytime (13/udp) |
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.
The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.
In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.
Solution :
- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052 |
| Informational |
chargen (19/tcp) |
Chargen is running on this port
Nessus ID : 10330 |
| Vulnerability |
ftp (21/tcp) |
It was possible to kill your FTP server
by reading a MS/DOS device, using
a file name like CON\CON, AUX.htm or AUX.
A cracker may use this flaw to make your
server crash continuously, preventing
you from working properly.
Solution : upgrade your system or use a
FTP server that filters those names out.
Risk factor : High
Nessus ID : 10929 |
| Informational |
ftp (21/tcp) |
An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330 |
| Informational |
ftp (21/tcp) |
Remote FTP server banner :
220 TEST.knology.net FTP server (Version 6.00LS) ready.
Nessus ID : 10092 |
| Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
Nessus ID : 11837 |
| Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1p1 or older.
If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existent
login compared to the time it takes to refuse a bad password for a
valid login.
An attacker may use this flaw to set up a brute force attack against
the remote host.
*** Nessus did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive
Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk factor : Low
CVE : CAN-2003-0190
BID : 7342, 7467, 7482
Other references : RHSA:RHSA-2003:222-01
Nessus ID : 11574 |
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.6.1p1 FreeBSD-20030924
Nessus ID : 10267 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 4c:c4:37:27:35:b3:84:dc:60:d5:ad:52:f9:08:a6:c8
SSHv2 host key fingerprint : 8f:9a:82:fc:79:79:c0:91:cf:cf:88:48:fd:12:49:95
Nessus ID : 10881 |
| Warning |
telnet (23/tcp) |
The Telnet service is running.
This service is dangerous in the sense that it is not ciphered - that is,
everyone can sniff the data that passes between the telnet client
and the telnet server. This includes logins and passwords.
Solution:
If you are running a Unix-type system, OpenSSH can be used instead of telnet.
For Unix systems, you can comment out the 'telnet' line in /etc/inetd.conf.
For Unix systems which use xinetd, you will need to modify the telnet services
file in the /etc/xinetd.d folder. After making any changes to xinetd or
inetd configuration files, you must restart the service in order for the
changes to take affect.
In addition, many different router and switch manufacturers support SSH as a
telnet replacement. You should contact your vendor for a solution which uses
an encrypted session.
Risk factor : Low
CVE : CAN-1999-0619
Nessus ID : 10280 |
| Informational |
telnet (23/tcp) |
A telnet server seems to be running on this port
Nessus ID : 10330 |
| Informational |
telnet (23/tcp) |
Remote telnet banner :
Nessus ID : 10281 |
| Informational |
time (37/tcp) |
A time server seems to be running on this port
Nessus ID : 10330 |
| Warning |
finger (79/tcp) |
The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...
Here is the output we obtained for 'root' :
Login: root Name: Charlie Root
Directory: /root Shell: /bin/csh
On since Sat Sep 18 10:20 (GMT) on ttyv0, idle 0:08 (messages off)
No Mail.
No Plan.
Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Nessus ID : 10068 |
| Informational |
finger (79/tcp) |
A finger server seems to be running on this port
Nessus ID : 10330 |
| Warning |
auth (113/tcp) |
The remote host is running an ident (also known as 'auth') daemon.
The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.
Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd
Risk factor : Low
CVE : CAN-1999-0629
Nessus ID : 10021 |
| Informational |
auth (113/tcp) |
An identd server is running on this port
Nessus ID : 10330 |
| Warning |
netbios-ssn (139/tcp) |
A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
CVE : CVE-1999-0980
BID : 754
Nessus ID : 10204 |
| Informational |
netbios-ssn (139/tcp) |
The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper
Nessus ID : 10330 |
| Warning |
exec (512/tcp) |
The rexecd service is open. This service is design to
allow users of a network to execute commands remotely.
However, rexecd does not provide any good means of authentication, so it
may be abused by an attacker to scan a third party host.
Solution : comment out the 'exec' line in /etc/inetd.conf and restart the
inetd process
Risk factor : Medium
CVE : CAN-1999-0618
Nessus ID : 10203 |
| Warning |
login (513/tcp) |
The remote host is running the 'rlogin' service, a remote login
daemon which allows people to log in this host and obtain an
interactive shell.
This service is dangerous in the sense thatit is not ciphered - that is,
everyone can sniff the data that passes between the rlogin client
and the rlogin server, which includes logins and passwords as well
as the commands executed by the remote host.
You should disable this service and use openssh instead (www.openssh.com)
Solution : Comment out the 'login' line in /etc/inetd.conf and restart the
inetd process.
Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10205 |
| Warning |
shell (514/tcp) |
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh instead.
Solution : Comment out the 'rsh' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10245 |
| Vulnerability |
general/icmp |
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.
Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.
See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197 |
| Warning |
general/icmp |
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114 |
| Informational |
general/icmp |
Here is the route recorded between 192.168.1.2 and 192.168.1.4 :
192.168.1.4.
Nessus ID : 12264 |
| Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.4 :
192.168.1.2
192.168.1.4
Nessus ID : 10287 |