Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 8
Number of security warnings found 14


Host List
Host(s) Possible Issue
192.168.1.12 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
192.168.1.12 general/tcp Security warning(s) found
192.168.1.12 discard (9/tcp) Security warning(s) found
192.168.1.12 daytime (13/tcp) Security warning(s) found
192.168.1.12 ftp (21/tcp) Security hole found
192.168.1.12 ssh (22/tcp) Security notes found
192.168.1.12 telnet (23/tcp) Security notes found
192.168.1.12 smtp (25/tcp) Security notes found
192.168.1.12 time (37/tcp) Security warning(s) found
192.168.1.12 domain (53/tcp) Security hole found
192.168.1.12 finger (79/tcp) Security warning(s) found
192.168.1.12 http (80/tcp) Security warning(s) found
192.168.1.12 pop3 (110/tcp) Security hole found
192.168.1.12 rpcbind (111/tcp) No Information
192.168.1.12 auth (113/tcp) Security warning(s) found
192.168.1.12 netbios-ssn (139/tcp) Security hole found
192.168.1.12 imap (143/tcp) Security notes found
192.168.1.12 imap3 (220/tcp) Security notes found
192.168.1.12 printer (515/tcp) No Information
192.168.1.12 talk (517/udp) No Information
192.168.1.12 ntalk (518/udp) Security notes found
192.168.1.12 kdm (1024/tcp) Security notes found
192.168.1.12 postgresql (5432/tcp) Security hole found
192.168.1.12 general/udp Security notes found
192.168.1.12 domain (53/udp) Security notes found
192.168.1.12 general/icmp Security notes found


Security Issues and Fixes: 192.168.1.12
Type Port Issue and Fix
Warning general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618
Warning general/tcp
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.

This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).

Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213
Informational general/tcp The remote host is up
Nessus ID : 10180
Informational general/tcp Nmap found that this host is running Linux 2.1.19 - 2.2.25

Nessus ID : 10336
Informational general/tcp HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890
Informational general/tcp Nessus was not able to reliably identify the remote operating system. It might be:
Allot NetEnforcer
Linux Kernel 2.2
The fingerprint differs from these known signatures on 1 points.
If you know what operating system this host is running, please send this signature to
os-signatures@nessus.org :
:1:1:0:255:1:255:1:0:255:1:0:255:1:>64:255:0:1:1:1:1:1:1:1:1:64:16060:MSTNW:0:1:1
Nessus ID : 11936
Warning discard (9/tcp)
The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.

This service is unused these days, so it is advised that you
disable it.


Solution :

- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CAN-1999-0636
Nessus ID : 11367
Warning daytime (13/tcp)
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.



The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.

Solution :

- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Vulnerability ftp (21/tcp)
It was possible to disable the remote FTP server
by connecting to it about 3000 times, with
one connection at a time.

If the remote server is running from within [x]inetd, this
is a feature and the FTP server should automatically be back
in a couple of minutes.

An attacker may use this flaw to prevent this
service from working properly.

Solution : If the remote server is GoodTech ftpd server,
download the newest version from http://www.goodtechsys.com.
BID : 2270
Risk factor : High
CVE : CAN-2001-0188
BID : 2270
Nessus ID : 10690
Informational ftp (21/tcp) An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330
Informational ftp (21/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Back Construction
Blade Runner
Cattivik FTP Server
CC Invader
Dark FTP
Doly Trojan
Fore
FreddyK
Invisible FTP
Juggernaut 42
Larva
MotIv FTP
Net Administrator
Ramen
RTB 666
Senna Spy FTP server
The Flu
Traitor 21
WebEx
WinCrash

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Informational ftp (21/tcp) This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin

Nessus ID : 10919
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) Remote SSH version : SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3

Nessus ID : 10267
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.99
. 2.0


SSHv2 host key fingerprint : 51:17:d3:65:90:c6:c5:24:79:ea:16:13:f1:35:d1:e5

Nessus ID : 10881
Informational telnet (23/tcp) An unknown service is running on this port.
It is usually reserved for Telnet
Nessus ID : 10330
Informational smtp (25/tcp) An unknown service is running on this port.
It is usually reserved for SMTP
Nessus ID : 10330
Informational smtp (25/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Ajan
Antigen
Barok
BSE
Email Password Sender - EPS
EPS II
Gip
Gris
Happy99
Hpteam mail
I love you
Kuang2
Magic Horse
MBT (Mail Bombing Trojan)
Moscow Email trojan
Naebi
NewApt worm
ProMail trojan
Shtirlitz
Stealth
Stukach
Tapiras
Terminator
WinPC
WinSpy

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Informational smtp (25/tcp) For some reason, we could not send the 42.zip file to this MTA
BID : 3027
Nessus ID : 11036
Warning time (37/tcp)
The remote host has a bug in its 'inetd' server. 'inetd' is the
'internet super-server' and is in charge of managing multiple sub-servers
(like telnet, ftp, chargen, and more).

There is a bug in the inetd server that comes with RedHat 6.2, which allows
an attacker to prevent it from working completely by forcing it to consume
system resources.

Solution : Upgrade to inetd-0.16-7
Risk factor : Medium
CVE : CVE-2001-0309
BID : 2395
Nessus ID : 11006
Informational time (37/tcp) A time server seems to be running on this port
Nessus ID : 10330
Vulnerability domain (53/tcp)
The remote BIND 9 DNS server, according to its version number, is vulnerable to a
buffer overflow which may allow an attacker to gain a shell on this host or
to disable this server.


Solution : upgrade to bind 9.2.2 or downgrade to the 8.x series

See also : http://www.isc.org/products/BIND/bind9.html
http://cert.uni-stuttgart.de/archive/bugtraq/2003/03/msg00075.html
http://www.cert.org/advisories/CA-2002-19.html
Risk factor : High
CVE : CAN-2002-0684
Other references : IAVA:2003-B-0001
Nessus ID : 11318
Informational domain (53/tcp) BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.

The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.

The remote bind version is : 9.2.1

Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.

Nessus ID : 10028
Informational domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Warning finger (79/tcp)
The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...

Here is the output we obtained for 'root' :

Login: root Name: root
Directory: /root Shell: /bin/bash
On since Sun Sep 12 15:37 (EDT) on tty1 36 minutes 21 seconds idle
(messages off)
No mail.
No Plan.


Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Nessus ID : 10068
Informational finger (79/tcp) A finger server seems to be running on this port
Nessus ID : 10330
Warning http (80/tcp)
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
Apache/1.3.26 (Unix) Debian GNU/Linux

Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) Nessus was not able to reliably identify this server. It might be:
Apache/1.3.22-26 (Unix)
Apache/1.3.26 (Unix) PHP/4.
Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.3.4 AuthMySQL/3.1 DAV/1.0.3
Apache/1.3.26 (Unix) mod_perl/1.27 PHP/4.2.2
Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2
Apache/1.3.26 (Unix) Debian GNU/Linux
Apache/1.3.26 (Debian 3.0 woody)
Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_perl/1.23
The fingerprint differs from these known signatures on 7 point(s)

Nessus ID : 11919
Vulnerability pop3 (110/tcp)
The remote qpopper server, according to its banner, is
running version 4.0.3 or version 4.0.4. These versions
are vulnerable to a buffer overflow if they are configured
to allow the processing of a user's ~/.qpopper-options file.
A local user can cause a buffer overflow by setting the
bulldir variable to something longer than 256 characters.

*** This test could not confirm the existence of the
*** problem - it relied on the banner being returned.

Solution : Upgrade to the latest version, or disable
processing of user option files.

Risk factor : High
CVE : CVE-2001-1046
BID : 2811
Nessus ID : 10948
Vulnerability pop3 (110/tcp)
The remote qpopper server, according to its banner, is
vulnerable to a one-byte overflow it its function
Qvsnprintf().

An attacker may use this flaw to gain a (non-root)
shell on this host, provided that he has a valid
POP account to log in with.

*** This test could not confirm the existence of the
*** problem - it relied on the banner being returned.

Solution : Upgrade to version 4.0.5cf2 or newer

Risk factor : High
CVE : CAN-2003-0143
BID : 7058
Other references : SuSE:SUSE-SA:2003:018
Nessus ID : 11376
Warning pop3 (110/tcp)
The remote server appears to be running a version of QPopper
that is older than 4.0.5.

Versions older than 4.0.5 are vulneable to a bug where remote
attackers can enumerate valid usernames based on server
responses during the authentication process.

Solution : None at this time
Risk factor : Low
BID : 7110
Nessus ID : 12279
Informational pop3 (110/tcp) An unknown service is running on this port.
It is usually reserved for POP3
Nessus ID : 10330
Informational pop3 (110/tcp)
The remote POP3 servers leak information about the software it is running,
through the login banner. This may assist an attacker in choosing an attack
strategy.

Versions and types should be omitted where possible.

The version of the remote POP3 server is :
+OK Qpopper (version 4.0.4) at debian starting.


Solution : Change the login banner to something generic.
Risk factor : Low
Nessus ID : 10185
Informational pop3 (110/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
ProMail trojan

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Warning auth (113/tcp)
The remote host is running an ident (also known as 'auth') daemon.

The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.

Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd

Risk factor : Low
CVE : CAN-1999-0629
Nessus ID : 10021
Informational auth (113/tcp) An identd server is running on this port
Nessus ID : 10330
Vulnerability netbios-ssn (139/tcp) The following shares can be accessed using a NULL session :

- IPC$ - (readable?, writeable?)


Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396
Vulnerability netbios-ssn (139/tcp)
The remote Samba server, according to its version number,
may be vulnerable to a remote buffer overflow when receiving
specially crafted SMB fragment packets.

An attacker needs to be able to access at least one
share to exploit this flaw.

Solution : upgrade to Samba 2.2.8
Risk factor : High
CVE : CAN-2003-0085, CAN-2003-0086
BID : 7106, 7107
Other references : RHSA:RHSA-2003:095-03, SuSE:SUSE-SA:2003:016
Nessus ID : 11398
Warning netbios-ssn (139/tcp)
The remote registry can be accessed remotely using the login / password
combination used for the SMB tests.

Having the registry accessible to the world is not a good thing as it gives
extra knowledge to a hacker.

Solution : Apply service pack 3 if not done already, and set the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.

In addition to this, you should consider filtering incoming packets to this
port.

Risk factor : Low
CVE : CAN-1999-0562
BID : 6830
Nessus ID : 10400
Warning netbios-ssn (139/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

DEBIAN : 5-21--1533175248-1275098784--1755235201

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning netbios-ssn (139/tcp) Here is the browse list of the remote host :

DEBIAN -
PC -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Warning netbios-ssn (139/tcp) Here is the list of the SMB shares of this host :

IPC$ -
ADMIN$ -
lp -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395
Warning netbios-ssn (139/tcp) A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
CVE : CVE-1999-0980
BID : 754
Nessus ID : 10204
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational netbios-ssn (139/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'whatever' in domain LCLNT
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990
Nessus ID : 10394
Informational netbios-ssn (139/tcp) The remote native lan manager is : Samba 2.2.3a-12.3 for Debian
The remote Operating System is : Unix
The remote SMB Domain Name is : LOCAL.NET

Nessus ID : 10785
Informational imap (143/tcp) An unknown service is running on this port.
It is usually reserved for IMAP
Nessus ID : 10330
Informational imap3 (220/tcp) An unknown service is running on this port.
It is usually reserved for IMAP3
Nessus ID : 10330
Informational ntalk (518/udp)
The remote host is running a 'talkd' daemon.

talkd is the server that notifies a user that someone else wants to initiate
a conversation with him.


Malicious hackers may use it to abuse legitimate users by conversing with
them with a false identity (social engineering). In addition to this, an
attacker may use this service to execute arbitrary code on your system.

Solution:
Disable talkd access from the network by adding the approriate rule on your
firewall. If you do not need talkd, comment out the relevant line in
/etc/inetd.conf and restart the inetd process.

See also : http://www.cert.org/advisories/CA-1997-04.html
Risk factor : Medium
CVE : CVE-1999-0048
Nessus ID : 10168
Informational ntalk (518/udp) talkd protocol version: 1
CVE : CVE-1999-0048
Nessus ID : 10168
Informational kdm (1024/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Jade
Latinus
NetSpy
Remote Administration Tool - RAT [no 2]

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Vulnerability postgresql (5432/tcp)
The remote PostgreSQL server might be vulnerable to various flaws
which may allow an attacker who has the rights to query the remote
database to obtain a shell on this host.

*** Nessus was not able to remotely determine the version of the
*** remote PostgreSQL server, so this might be a false positive

Solution : Upgrade to postgresql 7.3.4 or newer
Risk factor : High
CVE : CAN-2003-0901
BID : 8741
Other references : RHSA:RHSA-2003:313-01
Nessus ID : 11916
Vulnerability postgresql (5432/tcp)
The remote PostgreSQL server might be vulnerable to various flaws
which may allow an attacker who has the rights to query the remote
database to obtain a shell on this host.

*** Nessus was not able to remotely determine the version of the
*** remote PostgreSQL server, so this might be a false positive

Solution : Upgrade to postgresql 7.2.3 or newer
Risk factor : High
CVE : CAN-2002-1402, CAN-2002-1401, CAN-2002-1400, CAN-2002-1397, CAN-2002-1399
BID : 5497, 5527, 6610, 6611, 6612, 6613, 6614, 6615, 7075
Other references : RHSA:RHSA-2003:0010-10
Nessus ID : 11456
Informational postgresql (5432/tcp) A PostgreSQL server is running on this port
Nessus ID : 10330
Informational general/udp For your information, here is the traceroute to 192.168.1.12 :
192.168.1.3
192.168.1.12

Nessus ID : 10287
Informational domain (53/udp) The remote name server could be fingerprinted as being one of the following :
ISC BIND 9.2.1
ISC BIND 9.2.2

Nessus ID : 11951
Informational general/icmp Here is the route recorded between 192.168.1.3 and 192.168.1.12 :
192.168.1.12.
192.168.1.12.

Nessus ID : 12264

This file was generated by Nessus, the open-sourced security scanner.