<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
David Goodwin wrote:<br>
<blockquote type="cite"
cite="mid32991.81.168.107.198.1072440076.squirrel@mail.codepoets.co.uk">
<pre wrap="">Can someone please scan with nessus or nmap 81.168.107.198
(codepoets.co.uk) please?
Thanks
David
</pre>
</blockquote>
Zero security holes but a couple of warnings, 1 medium and 1 serious<br>
<br>
Hope this helps<br>
<br>
Ade<br>
<br>
<table bgcolor="#a1a1a1" border="0" cellpadding="0" cellspacing="0"
width="95%">
<tbody>
<tr>
<td>
<table border="0" cellpadding="2" cellspacing="1" width="100%">
<tbody>
<tr>
<td class="title">Nessus Scan Report</td>
</tr>
<tr>
<td class="content">This report gives details on hosts that
were tested and issues that were found. Please follow the recommended
steps and procedures to eradicate these threats.
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<br>
<table bgcolor="#a1a1a1" border="0" cellpadding="0" cellspacing="0"
width="60%">
<tbody>
<tr>
<td>
<table border="0" cellpadding="2" cellspacing="1" width="100%">
<tbody>
<tr>
<td class="title" colspan="2">Scan Details</td>
</tr>
<tr>
<td class="default" width="60%">Hosts which were alive and
responding during test</td>
<td class="default" width="30%">1</td>
</tr>
<tr>
<td class="default" width="60%">Number of security holes
found</td>
<td class="default" width="30%">0</td>
</tr>
<tr>
<td class="default" width="60%">Number of security warnings
found</td>
<td class="default" width="30%">2</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<a name="toc"></a>
<table bgcolor="#a1a1a1" border="0" cellpadding="0" cellspacing="0"
width="60%">
<tbody>
<tr>
<td>
<table border="0" cellpadding="2" cellspacing="1" width="100%">
<tbody>
<tr>
<td class="title" colspan="2">Host List</td>
</tr>
<tr>
<td class="sub" width="60%">Host(s)</td>
<td class="sub" width="40%">Possible Issue</td>
</tr>
<tr>
<td class="default" width="60%"><a
href="cid:part1.09020601.06090803@blueyonder.co.uk">81.168.107.198</a></td>
<td class="default" width="40%">Security warning(s) found</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<a name="81_168_107_198"></a>
<a name="81_168_107_198_toc"></a>
<div align="left"><font size="-2"><a
href="cid:part2.02060309.09040404@blueyonder.co.uk">[ return to top ]</a></font></div>
<br>
<br>
<table bgcolor="#a1a1a1" border="0" cellpadding="0" cellspacing="0"
width="60%">
<tbody>
<tr>
<td>
<table cellpadding="2" cellspacing="1" border="0" width="100%">
<tbody>
<tr>
<td class="title" colspan="3">Analysis of Host</td>
</tr>
<tr>
<td class="sub" width="20%">Address of Host</td>
<td class="sub" width="30%">Port/Service</td>
<td class="sub" width="30%">Issue regarding Port</td>
</tr>
<tr>
<td class="default" width="20%">81.168.107.198</td>
<td class="default" width="30%"><a
href="cid:part3.01030709.08090909@blueyonder.co.uk">smtp (25/tcp)</a></td>
<td class="default" width="30%">Security notes found</td>
</tr>
<tr>
<td class="default" width="20%">81.168.107.198</td>
<td class="default" width="30%"><a
href="cid:part4.01080907.05030905@blueyonder.co.uk">http (80/tcp)</a></td>
<td class="default" width="30%">Security warning(s) found</td>
</tr>
<tr>
<td class="default" width="20%">81.168.107.198</td>
<td class="default" width="30%"><a
href="cid:part5.09080404.06030401@blueyonder.co.uk">imap (143/tcp)</a></td>
<td class="default" width="30%">Security notes found</td>
</tr>
<tr>
<td class="default" width="20%">81.168.107.198</td>
<td class="default" width="30%"><a
href="cid:part6.00020309.06070206@blueyonder.co.uk">domain (53/udp)</a></td>
<td class="default" width="30%">Security warning(s) found</td>
</tr>
<tr>
<td class="default" width="20%">81.168.107.198</td>
<td class="default" width="30%"><a
href="cid:part7.01090500.07070108@blueyonder.co.uk">general/udp</a></td>
<td class="default" width="30%">Security notes found</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<table bgcolor="#a1a1a1" cellpadding="0" cellspacing="0" border="0"
width="75%">
<tbody>
<tr>
<td>
<table cellpadding="2" cellspacing="1" border="0" width="100%">
<tbody>
<tr>
<td class="title" colspan="3">Security Issues and Fixes:
81.168.107.198</td>
</tr>
<tr>
<td class="sub" width="10%">Type</td>
<td class="sub" width="10%">Port</td>
<td class="sub" width="80%">Issue and Fix</td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_25_tcp"></a>smtp (25/tcp)</td>
<td class="default" width="80%">An SMTP server is running
on this port<br>
Here is its banner : <br>
220 codepoets.co.uk ESMTP Postfix
<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10330">10330</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_25_tcp"></a>smtp (25/tcp)</td>
<td class="default" width="80%">Remote SMTP server banner :<br>
220 codepoets.co.uk ESMTP Postfix
<br>
<br>
<br>
<br>
This is probably: Postfix<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10263">10263</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_25_tcp"></a>smtp (25/tcp)</td>
<td class="default" width="80%">This server could be
fingerprinted as being Postfix 2.0.3<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11421">11421</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Warning</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%"><br>
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK<br>
are HTTP methods which are used to debug web server connections. <br>
<br>
It has been shown that servers supporting this method are subject<br>
to cross-site-scripting attacks, dubbed XST for<br>
"Cross-Site-Tracing", when used in conjunction with<br>
various weaknesses in browsers.<br>
<br>
An attacker may use this flaw to trick your<br>
legitimate web users to give him their <br>
credentials.<br>
<br>
Solution: Disable these methods.<br>
<br>
<br>
If you are using Apache, add the following lines for each virtual<br>
host in your configuration file :<br>
<br>
RewriteEngine on<br>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)<br>
RewriteRule .* - [F]<br>
<br>
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE<br>
requests or to permit only the methods needed to meet site requirements<br>
and policy.<br>
<br>
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the<br>
following to the default object section in obj.conf:<br>
<Client method="TRACE"><br>
AuthTrans fn="set-variable"<br>
remove-headers="transfer-encoding"<br>
set-headers="content-length: -1"<br>
error="501"<br>
</Client><br>
<br>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile<br>
the NSAPI plugin located at:<br>
<a
href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603</a><br>
<br>
<br>
See <a
href="http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf">http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf</a><br>
<a
href="http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html">http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html</a><br>
<a
href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603</a><br>
<a href="http://www.kb.cert.org/vuls/id/867593">http://www.kb.cert.org/vuls/id/867593</a><br>
<br>
Risk factor : Medium<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11213">11213</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%">A web server is running on
this port<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10330">10330</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%">The following directories
were discovered:<br>
/cgi-bin, /doc, /icons, /manual<br>
<br>
While this is not, in and of itself, a bug, you should manually inspect
<br>
these directories to ensure that they are in compliance with company<br>
security standards<br>
<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11032">11032</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%">The following CGI have been
discovered :<br>
<br>
Syntax : cginame (arguments [default value])<br>
<br>
/src/redirect.php (login_username [] secretkey [] js_autodetect_results
[SMPREF_JS_OFF] just_logged_in [1] )<br>
<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10662">10662</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%">The remote web server type
is :<br>
<br>
Apache/2.0.48 (Unix) PHP/4.3.3 mod_jk/1.2.5
<br>
<br>
<br>
Solution : You can set the directive 'ServerTokens Prod' to limit<br>
the information emanating from the server in its response headers.<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10107">10107</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%">An information leak occurs
on Apache based web servers <br>
whenever the UserDir module is enabled. The vulnerability allows an
external <br>
attacker to enumerate existing accounts by requesting access to their
home <br>
directory and monitoring the response.<br>
<br>
<br>
Solution: <br>
1) Disable this feature by changing 'UserDir public_html' (or whatever)
to <br>
'UserDir disabled'.<br>
<br>
Or<br>
<br>
2) Use a RedirectMatch rewrite rule under Apache -- this works even if
there <br>
is no such entry in the password file, e.g.:<br>
RedirectMatch ^/~(.*)$ <a
href="http://my-target-webserver.somewhere.org/$1">http://my-target-webserver.somewhere.org/$1</a><br>
<br>
Or<br>
<br>
3) Add into httpd.conf:<br>
ErrorDocument 404 <a href="http://localhost/sample.html">http://localhost/sample.html</a><br>
ErrorDocument 403 <a href="http://localhost/sample.html">http://localhost/sample.html</a><br>
(NOTE: You need to use a FQDN inside the URL for it to work properly).<br>
<br>
Additional Information:<br>
<a
href="http://www.securiteam.com/unixfocus/5WP0C1F5FI.html">http://www.securiteam.com/unixfocus/5WP0C1F5FI.html</a><br>
<br>
<br>
Risk factor : Low<br>
CVE : <a href="http://cgi.nessus.org/cve.php3?cve=CAN-2001-1013">CAN-2001-1013</a><br>
BID : <a href="http://cgi.nessus.org/bid.php3?bid=3335">3335</a><br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10766">10766</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_80_tcp"></a>http (80/tcp)</td>
<td class="default" width="80%">This web server was
fingerprinted as: Apache/2.0.4x PHP/4.3.x<br>
which is not consistent with the displayed banner: Apache/2.0.48 (Unix)
PHP/4.3.3 mod_jk/1.2.5<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11919">11919</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_143_tcp"></a>imap (143/tcp)</td>
<td class="default" width="80%">An IMAP server is running
on this port<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10330">10330</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_143_tcp"></a>imap (143/tcp)</td>
<td class="default" width="80%">The remote imap server
banner is :<br>
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE STARTTLS]
Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See
COPYING for distribution information.
<br>
Versions and types should be omitted where possible.<br>
Change the imap banner to something generic.<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11414">11414</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Warning</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_53_udp"></a>domain (53/udp)</td>
<td class="default" width="80%"><br>
The remote name server allows recursive queries to be performed<br>
by the host running nessusd.<br>
<br>
If this is your internal nameserver, then forget this warning.<br>
<br>
If you are probing a remote nameserver, then it allows anyone<br>
to use it to resolve third parties names (such as <a class="moz-txt-link-abbreviated" href="http://www.nessus.org">www.nessus.org</a>).<br>
This allows hackers to do cache poisoning attacks against this<br>
nameserver.<br>
<br>
If the host allows these recursive queries via UDP,<br>
then the host can be used to 'bounce' Denial of Service attacks<br>
against another network or system.<br>
<br>
See also : <a href="http://www.cert.org/advisories/CA-1997-22.html">http://www.cert.org/advisories/CA-1997-22.html</a><br>
<br>
Solution : Restrict recursive queries to the hosts that should<br>
use this nameserver (such as those of the LAN connected to it).<br>
<br>
If you are using bind 8, you can do this by using the instruction<br>
'allow-recursion' in the 'options' section of your named.conf<br>
<br>
If you are using bind 9, you can define a grouping of internal addresses<br>
using the 'acl' command<br>
<br>
Then, within the options block, you can explicitly state:<br>
'allow-recursion { hosts_defined_in_acl }'<br>
<br>
For more info on Bind 9 administration (to include recursion), see: <br>
<a
href="http://www.nominum.com/content/documents/bind9arm.pdf">http://www.nominum.com/content/documents/bind9arm.pdf</a><br>
<br>
If you are using another name server, consult its documentation.<br>
<br>
Risk factor : Serious<br>
CVE : <a href="http://cgi.nessus.org/cve.php3?cve=CVE-1999-0024">CVE-1999-0024</a><br>
BID : <a href="http://cgi.nessus.org/bid.php3?bid=678">678</a><br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10539">10539</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_53_udp"></a>domain (53/udp)</td>
<td class="default" width="80%"><br>
A DNS server is running on this port. If you do not use it, disable it.<br>
<br>
Risk factor : Low<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11002">11002</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_53_udp"></a>domain (53/udp)</td>
<td class="default" width="80%">BIND 'NAMED' is an
open-source DNS server from ISC.org.<br>
Many proprietary DNS servers are based on BIND source code.<br>
<br>
The BIND based NAMED servers (or DNS servers) allow remote users<br>
to query for version and type information. The query of the CHAOS<br>
TXT record 'version.bind', will typically prompt the server to send<br>
the information back to the querying source.<br>
<br>
The remote bind version is : 9.2.3<br>
<br>
Solution :<br>
Using the 'version' directive in the 'options' section will block<br>
the 'version.bind' query, but it will not log such attempts.<br>
<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=10028">10028</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%">Informational</td>
<td valign="top" class="default" width="10%"><a
name="81_168_107_198_53_udp"></a>domain (53/udp)</td>
<td class="default" width="80%">The remote name server
could be fingerprinted as being : ISC BIND 9.2.3<br>
<br>
Nessus ID : <a href="http://cgi.nessus.org/nessus_id.php3?id=11951">11951</a></td>
</tr>
<tr>
<td valign="top" class="default" width="10%"><br>
</td>
<td valign="top" class="default" width="10%"><br>
</td>
<td class="default" width="80%"><br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</body>
</html>