| Security Issues and Fixes: 192.168.1.12 |
| Type |
Port |
Issue and Fix |
| Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
| Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
| Informational |
general/tcp |
The remote host is up
Nessus ID : 10180 |
| Informational |
general/tcp |
Nmap found that this host is running Linux 2.1.19 - 2.2.25
Nessus ID : 10336 |
| Informational |
general/tcp |
HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890 |
| Informational |
general/tcp |
Nessus was not able to reliably identify the remote operating system. It might be:
Allot NetEnforcer
Linux Kernel 2.2
The fingerprint differs from these known signatures on 1 points.
If you know what operating system this host is running, please send this signature to
os-signatures@nessus.org :
:1:1:0:255:1:255:1:0:255:1:0:255:1:>64:255:0:1:1:1:1:1:1:1:1:64:16060:MSTNW:0:1:1
Nessus ID : 11936 |
| Warning |
discard (9/tcp) |
The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.
This service is unused these days, so it is advised that you
disable it.
Solution :
- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CAN-1999-0636
Nessus ID : 11367 |
| Warning |
daytime (13/tcp) |
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.
The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.
In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.
Solution :
- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052 |
| Vulnerability |
ftp (21/tcp) |
It was possible to disable the remote FTP server
by connecting to it about 3000 times, with
one connection at a time.
If the remote server is running from within [x]inetd, this
is a feature and the FTP server should automatically be back
in a couple of minutes.
An attacker may use this flaw to prevent this
service from working properly.
Solution : If the remote server is GoodTech ftpd server,
download the newest version from http://www.goodtechsys.com.
BID : 2270
Risk factor : High
CVE : CAN-2001-0188
BID : 2270
Nessus ID : 10690 |
| Informational |
ftp (21/tcp) |
An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330 |
| Informational |
ftp (21/tcp) |
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Back Construction
Blade Runner
Cattivik FTP Server
CC Invader
Dark FTP
Doly Trojan
Fore
FreddyK
Invisible FTP
Juggernaut 42
Larva
MotIv FTP
Net Administrator
Ramen
RTB 666
Senna Spy FTP server
The Flu
Traitor 21
WebEx
WinCrash
Unless you know for sure what is behind it, you'd better
check your system
*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157 |
| Informational |
ftp (21/tcp) |
This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
Nessus ID : 10919 |
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
Nessus ID : 10267 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.99
. 2.0
SSHv2 host key fingerprint : 51:17:d3:65:90:c6:c5:24:79:ea:16:13:f1:35:d1:e5
Nessus ID : 10881 |
| Informational |
telnet (23/tcp) |
An unknown service is running on this port.
It is usually reserved for Telnet
Nessus ID : 10330 |
| Informational |
smtp (25/tcp) |
An unknown service is running on this port.
It is usually reserved for SMTP
Nessus ID : 10330 |
| Informational |
smtp (25/tcp) |
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Ajan
Antigen
Barok
BSE
Email Password Sender - EPS
EPS II
Gip
Gris
Happy99
Hpteam mail
I love you
Kuang2
Magic Horse
MBT (Mail Bombing Trojan)
Moscow Email trojan
Naebi
NewApt worm
ProMail trojan
Shtirlitz
Stealth
Stukach
Tapiras
Terminator
WinPC
WinSpy
Unless you know for sure what is behind it, you'd better
check your system
*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157 |
| Informational |
smtp (25/tcp) |
For some reason, we could not send the 42.zip file to this MTA
BID : 3027
Nessus ID : 11036 |
| Warning |
time (37/tcp) |
The remote host has a bug in its 'inetd' server. 'inetd' is the
'internet super-server' and is in charge of managing multiple sub-servers
(like telnet, ftp, chargen, and more).
There is a bug in the inetd server that comes with RedHat 6.2, which allows
an attacker to prevent it from working completely by forcing it to consume
system resources.
Solution : Upgrade to inetd-0.16-7
Risk factor : Medium
CVE : CVE-2001-0309
BID : 2395
Nessus ID : 11006 |
| Informational |
time (37/tcp) |
A time server seems to be running on this port
Nessus ID : 10330 |
| Vulnerability |
domain (53/tcp) |
The remote BIND 9 DNS server, according to its version number, is vulnerable to a
buffer overflow which may allow an attacker to gain a shell on this host or
to disable this server.
Solution : upgrade to bind 9.2.2 or downgrade to the 8.x series
See also : http://www.isc.org/products/BIND/bind9.html
http://cert.uni-stuttgart.de/archive/bugtraq/2003/03/msg00075.html
http://www.cert.org/advisories/CA-2002-19.html
Risk factor : High
CVE : CAN-2002-0684
Other references : IAVA:2003-B-0001
Nessus ID : 11318 |
| Informational |
domain (53/tcp) |
BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
The remote bind version is : 9.2.1
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.
Nessus ID : 10028 |
| Informational |
domain (53/tcp) |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
| Warning |
finger (79/tcp) |
The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...
Here is the output we obtained for 'root' :
Login: root Name: root
Directory: /root Shell: /bin/bash
On since Sun Sep 12 15:37 (EDT) on tty1 36 minutes 21 seconds idle
(messages off)
No mail.
No Plan.
Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Nessus ID : 10068 |
| Informational |
finger (79/tcp) |
A finger server seems to be running on this port
Nessus ID : 10330 |
| Warning |
http (80/tcp) |
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
Apache/1.3.26 (Unix) Debian GNU/Linux
Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239 |
| Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
http (80/tcp) |
Nessus was not able to reliably identify this server. It might be:
Apache/1.3.22-26 (Unix)
Apache/1.3.26 (Unix) PHP/4.
Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.3.4 AuthMySQL/3.1 DAV/1.0.3
Apache/1.3.26 (Unix) mod_perl/1.27 PHP/4.2.2
Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2
Apache/1.3.26 (Unix) Debian GNU/Linux
Apache/1.3.26 (Debian 3.0 woody)
Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_perl/1.23
The fingerprint differs from these known signatures on 7 point(s)
Nessus ID : 11919 |
| Vulnerability |
pop3 (110/tcp) |
The remote qpopper server, according to its banner, is
running version 4.0.3 or version 4.0.4. These versions
are vulnerable to a buffer overflow if they are configured
to allow the processing of a user's ~/.qpopper-options file.
A local user can cause a buffer overflow by setting the
bulldir variable to something longer than 256 characters.
*** This test could not confirm the existence of the
*** problem - it relied on the banner being returned.
Solution : Upgrade to the latest version, or disable
processing of user option files.
Risk factor : High
CVE : CVE-2001-1046
BID : 2811
Nessus ID : 10948 |
| Vulnerability |
pop3 (110/tcp) |
The remote qpopper server, according to its banner, is
vulnerable to a one-byte overflow it its function
Qvsnprintf().
An attacker may use this flaw to gain a (non-root)
shell on this host, provided that he has a valid
POP account to log in with.
*** This test could not confirm the existence of the
*** problem - it relied on the banner being returned.
Solution : Upgrade to version 4.0.5cf2 or newer
Risk factor : High
CVE : CAN-2003-0143
BID : 7058
Other references : SuSE:SUSE-SA:2003:018
Nessus ID : 11376 |
| Warning |
pop3 (110/tcp) |
The remote server appears to be running a version of QPopper
that is older than 4.0.5.
Versions older than 4.0.5 are vulneable to a bug where remote
attackers can enumerate valid usernames based on server
responses during the authentication process.
Solution : None at this time
Risk factor : Low
BID : 7110
Nessus ID : 12279 |
| Informational |
pop3 (110/tcp) |
An unknown service is running on this port.
It is usually reserved for POP3
Nessus ID : 10330 |
| Informational |
pop3 (110/tcp) |
The remote POP3 servers leak information about the software it is running,
through the login banner. This may assist an attacker in choosing an attack
strategy.
Versions and types should be omitted where possible.
The version of the remote POP3 server is :
+OK Qpopper (version 4.0.4) at debian starting.
Solution : Change the login banner to something generic.
Risk factor : Low
Nessus ID : 10185 |
| Informational |
pop3 (110/tcp) |
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
ProMail trojan
Unless you know for sure what is behind it, you'd better
check your system
*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157 |
| Warning |
auth (113/tcp) |
The remote host is running an ident (also known as 'auth') daemon.
The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.
Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd
Risk factor : Low
CVE : CAN-1999-0629
Nessus ID : 10021 |
| Informational |
auth (113/tcp) |
An identd server is running on this port
Nessus ID : 10330 |
| Vulnerability |
netbios-ssn (139/tcp) |
The following shares can be accessed using a NULL session :
- IPC$ - (readable?, writeable?)
Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396 |
| Vulnerability |
netbios-ssn (139/tcp) |
The remote Samba server, according to its version number,
may be vulnerable to a remote buffer overflow when receiving
specially crafted SMB fragment packets.
An attacker needs to be able to access at least one
share to exploit this flaw.
Solution : upgrade to Samba 2.2.8
Risk factor : High
CVE : CAN-2003-0085, CAN-2003-0086
BID : 7106, 7107
Other references : RHSA:RHSA-2003:095-03, SuSE:SUSE-SA:2003:016
Nessus ID : 11398 |
| Warning |
netbios-ssn (139/tcp) |
The remote registry can be accessed remotely using the login / password
combination used for the SMB tests.
Having the registry accessible to the world is not a good thing as it gives
extra knowledge to a hacker.
Solution : Apply service pack 3 if not done already, and set the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.
In addition to this, you should consider filtering incoming packets to this
port.
Risk factor : Low
CVE : CAN-1999-0562
BID : 6830
Nessus ID : 10400 |
| Warning |
netbios-ssn (139/tcp) |
The host Security Identifier (SID) can be obtained remotely. Its value is :
DEBIAN : 5-21--1533175248-1275098784--1755235201
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859 |
| Warning |
netbios-ssn (139/tcp) |
Here is the browse list of the remote host :
DEBIAN -
PC -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Nessus ID : 10397 |
| Warning |
netbios-ssn (139/tcp) |
Here is the list of the SMB shares of this host :
IPC$ -
ADMIN$ -
lp -
This is potentially dangerous as this may help the attack
of a potential hacker.
Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395 |
| Warning |
netbios-ssn (139/tcp) |
A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
CVE : CVE-1999-0980
BID : 754
Nessus ID : 10204 |
| Informational |
netbios-ssn (139/tcp) |
An SMB server is running on this port
Nessus ID : 11011 |
| Informational |
netbios-ssn (139/tcp) |
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'whatever' in domain LCLNT
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990
Nessus ID : 10394 |
| Informational |
netbios-ssn (139/tcp) |
The remote native lan manager is : Samba 2.2.3a-12.3 for Debian
The remote Operating System is : Unix
The remote SMB Domain Name is : LOCAL.NET
Nessus ID : 10785 |
| Informational |
imap (143/tcp) |
An unknown service is running on this port.
It is usually reserved for IMAP
Nessus ID : 10330 |
| Informational |
imap3 (220/tcp) |
An unknown service is running on this port.
It is usually reserved for IMAP3
Nessus ID : 10330 |
| Informational |
ntalk (518/udp) |
The remote host is running a 'talkd' daemon.
talkd is the server that notifies a user that someone else wants to initiate
a conversation with him.
Malicious hackers may use it to abuse legitimate users by conversing with
them with a false identity (social engineering). In addition to this, an
attacker may use this service to execute arbitrary code on your system.
Solution:
Disable talkd access from the network by adding the approriate rule on your
firewall. If you do not need talkd, comment out the relevant line in
/etc/inetd.conf and restart the inetd process.
See also : http://www.cert.org/advisories/CA-1997-04.html
Risk factor : Medium
CVE : CVE-1999-0048
Nessus ID : 10168 |
| Informational |
ntalk (518/udp) |
talkd protocol version: 1
CVE : CVE-1999-0048
Nessus ID : 10168 |
| Informational |
kdm (1024/tcp) |
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Jade
Latinus
NetSpy
Remote Administration Tool - RAT [no 2]
Unless you know for sure what is behind it, you'd better
check your system
*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157 |
| Vulnerability |
postgresql (5432/tcp) |
The remote PostgreSQL server might be vulnerable to various flaws
which may allow an attacker who has the rights to query the remote
database to obtain a shell on this host.
*** Nessus was not able to remotely determine the version of the
*** remote PostgreSQL server, so this might be a false positive
Solution : Upgrade to postgresql 7.3.4 or newer
Risk factor : High
CVE : CAN-2003-0901
BID : 8741
Other references : RHSA:RHSA-2003:313-01
Nessus ID : 11916 |
| Vulnerability |
postgresql (5432/tcp) |
The remote PostgreSQL server might be vulnerable to various flaws
which may allow an attacker who has the rights to query the remote
database to obtain a shell on this host.
*** Nessus was not able to remotely determine the version of the
*** remote PostgreSQL server, so this might be a false positive
Solution : Upgrade to postgresql 7.2.3 or newer
Risk factor : High
CVE : CAN-2002-1402, CAN-2002-1401, CAN-2002-1400, CAN-2002-1397, CAN-2002-1399
BID : 5497, 5527, 6610, 6611, 6612, 6613, 6614, 6615, 7075
Other references : RHSA:RHSA-2003:0010-10
Nessus ID : 11456 |
| Informational |
postgresql (5432/tcp) |
A PostgreSQL server is running on this port
Nessus ID : 10330 |
| Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.12 :
192.168.1.3
192.168.1.12
Nessus ID : 10287 |
| Informational |
domain (53/udp) |
The remote name server could be fingerprinted as being one of the following :
ISC BIND 9.2.1
ISC BIND 9.2.2
Nessus ID : 11951 |
| Informational |
general/icmp |
Here is the route recorded between 192.168.1.3 and 192.168.1.12 :
192.168.1.12.
192.168.1.12.
Nessus ID : 12264 |