David Goodwin wrote:
>Can I ask nicely for it to be repeated please?
>
>
>
>>laptop:/home/dan# nmap -sU codepoets.co.uk
>>
>>
>
>
>My firewall should (from what I can understand from it) drop all incoming
>packets by default, apart from ssh, smtp and one or two others.... to me
>your scan doesn't indicate that.... hopefully it's fixed now....
>
>
>thanks,
>
>David.
>
>
Here you go
Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 0
Number of security warnings found 2
Host List
Host(s) Possible Issue
81.168.107.198 <cid:part1.09010702.07070103 at blueyonder.co.uk> Security
warning(s) found
[ return to top ] <cid:part2.01000005.06090302 at blueyonder.co.uk>
Analysis of Host
Address of Host Port/Service Issue regarding Port
81.168.107.198 smtp (25/tcp)
<cid:part3.04080204.06000506 at blueyonder.co.uk> Security notes found
81.168.107.198 http (80/tcp)
<cid:part4.01070608.08070809 at blueyonder.co.uk> Security warning(s) found
81.168.107.198 domain (53/udp)
<cid:part5.07030109.04050900 at blueyonder.co.uk> Security warning(s) found
81.168.107.198 general/udp
<cid:part6.01060804.04000201 at blueyonder.co.uk> Security notes found
Security Issues and Fixes: 81.168.107.198
Type Port Issue and Fix
Informational smtp (25/tcp) An SMTP server is running on this port
Here is its banner :
220 codepoets.co.uk ESMTP Postfix
Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
Informational smtp (25/tcp) Remote SMTP server banner :
220 codepoets.co.uk ESMTP Postfix
This is probably: Postfix
Nessus ID : 10263 <http://cgi.nessus.org/nessus_id.php3?id=10263>
Informational smtp (25/tcp) This server could be fingerprinted as
being Postfix 2.0.3
Nessus ID : 11421 <http://cgi.nessus.org/nessus_id.php3?id=11421>
Warning http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
Nessus ID : 11213 <http://cgi.nessus.org/nessus_id.php3?id=11213>
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
Informational http (80/tcp) The following directories were discovered:
/cgi-bin, /doc, /icons, /manual
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Nessus ID : 11032 <http://cgi.nessus.org/nessus_id.php3?id=11032>
Informational http (80/tcp) The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/src/redirect.php (login_username [] secretkey [] js_autodetect_results
[SMPREF_JS_OFF] just_logged_in [1] )
Nessus ID : 10662 <http://cgi.nessus.org/nessus_id.php3?id=10662>
Informational http (80/tcp) The remote web server type is :
Apache/2.0.48 (Unix) PHP/4.3.3 mod_jk/1.2.5
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 <http://cgi.nessus.org/nessus_id.php3?id=10107>
Informational http (80/tcp) An information leak occurs on Apache based
web servers
whenever the UserDir module is enabled. The vulnerability allows an
external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.
Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if
there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low
CVE : CAN-2001-1013 <http://cgi.nessus.org/cve.php3?cve=CAN-2001-1013>
BID : 3335 <http://cgi.nessus.org/bid.php3?bid=3335>
Nessus ID : 10766 <http://cgi.nessus.org/nessus_id.php3?id=10766>
Informational http (80/tcp) This web server was fingerprinted as:
Apache/2.0.4x PHP/4.3.x
which is not consistent with the displayed banner: Apache/2.0.48 (Unix)
PHP/4.3.3 mod_jk/1.2.5
Nessus ID : 11919 <http://cgi.nessus.org/nessus_id.php3?id=11919>
Warning domain (53/udp)
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : Serious
CVE : CVE-1999-0024 <http://cgi.nessus.org/cve.php3?cve=CVE-1999-0024>
BID : 678 <http://cgi.nessus.org/bid.php3?bid=678>
Nessus ID : 10539 <http://cgi.nessus.org/nessus_id.php3?id=10539>
Informational domain (53/udp)
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 <http://cgi.nessus.org/nessus_id.php3?id=11002>
Informational domain (53/udp) BIND 'NAMED' is an open-source DNS
server from ISC.org.
Many proprietary DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
The remote bind version is : 9.2.3
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.
Nessus ID : 10028 <http://cgi.nessus.org/nessus_id.php3?id=10028>
Informational domain (53/udp) The remote name server could be
fingerprinted as being : ISC BIND 9.2.3
Nessus ID : 11951 <http://cgi.nessus.org/nessus_id.php3?id=11951>
-------------- next part --------------
Skipped content of type multipart/related