Information found on port sunrpc (111/tcp)
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223
Information found on port sunrpc (111/tcp)
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Vulnerability found on port domain (53/tcp)
Warning found on port domain (53/tcp)
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : Serious
CVE : CVE-1999-0024
BID : 678
Nessus ID : 10539
Information found on port domain (53/tcp)
BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
The remote bind version is : 8.2.7-REL
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.
Nessus ID : 10028
Information found on port domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
Information found on port sunrpc (111/udp)
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
Vulnerability found on port smtp (25/tcp)
Vulnerability found on port smtp (25/tcp)
Vulnerability found on port smtp (25/tcp)
Vulnerability found on port smtp (25/tcp)
Vulnerability found on port smtp (25/tcp)
Vulnerability found on port smtp (25/tcp)
Warning found on port smtp (25/tcp)
The remote sendmail server, according to its version number,
might be vulnerable to a queue destruction when a local user
runs
sendmail -q -h1000
If you system does not allow users to process the queue (which
is the default), you are not vulnerable.
Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Low
Note : This vulnerability is _local_ only
CVE : CAN-2001-0714
BID : 3378
Nessus ID : 11087
Warning found on port smtp (25/tcp)
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.
If users are not allowed to process the queue (which is the default)
then you are not vulnerable.
Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only
CVE : CAN-2001-0715
BID : 3898
Nessus ID : 11088
Information found on port smtp (25/tcp)
Remote SMTP server banner :
220 cobalt.ics-net.ch ESMTP Sendmail 8.10.2/8.10.2; Wed, 17 Mar 2004 20:30:27 +0100
This is probably: Sendmail version 8.10.2
Nessus ID : 10263
Information found on port smtp (25/tcp)
This server could be fingerprinted as being Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3
Nessus ID : 11421
Information found on port smtp (25/tcp)
Some antivirus scanners dies when they process an email with a
too long string without line breaks.
Such a message was sent. If there is an antivirus on your MTA,
it might have crashed. Please check its status right now, as
it is not possible to do it remotely
Nessus ID : 11270
Vulnerability found on port ftp (21/tcp)
Vulnerability found on port ftp (21/tcp)
Information found on port ftp (21/tcp)
Remote FTP server banner :
220 ProFTPD 1.2.8 Server (ProFTPD) [212.98.56.2]
Nessus ID : 10092
Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that it is not ciphered - that is,
everyone can sniff the data that passes between the telnet client
and the telnet server. This includes logins and passwords.
Solution:
If you are running a Unix-type system, OpenSSH can be used instead of telnet.
For Unix systems, you can comment out the 'telnet' line in /etc/inetd.conf.
For Unix systems which use xinetd, you will need to modify the telnet services
file in the /etc/xinetd.d folder. After making any changes to xinetd or
inetd configuration files, you must restart the service in order for the
changes to take affect.
In addition, many different router and switch manufacturers support SSH as a
telnet replacement. You should contact your vendor for a solution which uses
an encrypted session.
Risk factor : Low
CVE : CAN-1999-0619
Nessus ID : 10280
Information found on port telnet (23/tcp)
Remote telnet banner :
Cobalt Linux release 6.5.1 (Monterey)
Kernel 2.2.16C37_V on an i686
login:
Nessus ID : 10281
Information found on port telnet (23/tcp)
Remote telnet banner :
Cobalt Linux release 6.5.1 (Monterey)
Kernel 2.2.16C37_V on an i686
login:
Nessus ID : 10281
Information found on port domain (53/udp)
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
Information found on port domain (53/udp)
The remote name server could be fingerprinted as being one of the following :
ISC BIND 8.3
ISC BIND 8.4
Nessus ID : 11951
Vulnerability found on port http (80/tcp)
Vulnerability found on port http (80/tcp)
Vulnerability found on port http (80/tcp)
Vulnerability found on port http (80/tcp)
Vulnerability found on port http (80/tcp)
Warning found on port http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
Nessus ID : 11213
Warning found on port http (80/tcp)
The remote host is using a version of mod_ssl which is
older than 2.8.10.
This version is vulnerable to a flaw which may allow an
attacker to successfully perform a cross site scripting attack
under some circumstances.
*** Note that several Linux distributions (such as RedHat)
*** patched the old version of this module. Therefore, this
*** might be a false positive. Please check with your vendor
*** to determine if you really are vulnerable to this flaw
Solution : Upgrade to version 2.8.10 or newer
Risk factor : Low
CVE : CAN-2002-1157
BID : 6029
Nessus ID : 11622
Warning found on port http (80/tcp)
The remote host appears to be running a version of
Apache which is older than 1.3.27
There are several flaws in this version, you should
upgrade to 1.3.27 or newer.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
Solution : Upgrade to version 1.3.27
See also : http://www.apache.org/dist/httpd/Announcement.html
Risk factor : Medium
CVE : CAN-2002-0839, CAN-2002-0840, CAN-2002-0843
BID : 5847, 5884, 5995, 5996
Nessus ID : 11137
Information found on port http (80/tcp)
The remote web server type is :
Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.3.4 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
Information found on port http (80/tcp)
This web server was fingerprinted as Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4
This seems to be consistent with the displayed banner: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.3.4 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
Nessus ID : 11919