Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 39

Thread: Now I'm curious.... And I need your help....

  1. #11
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    just a question. but what do you guys think about www.norton.com online vulnerability scan? I used it and it worked alright for me.
    I am the uber duck!!1
    Proxy Tools

  2. #12
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    You mean SecurityCheck? Pretty sucky since I got this error:

    Error 001

    Security Scan and Virus Detection do not work with your operating system. To run Security Scan and Virus Detection, you must be using Windows 98/ME, NT 4.0 Workstation/2000 Pro/XP, or Mac OS 8.1 or higher.
    That's an interesting statement IMHO and seems to limit the scans through whatever is achieved with the browser. Specifically browsers that support ActiveX.

    Our web site consists of two methods that identify security risks on your computer.

    The first method is to scan your computer from our server. This is called a server-side scan. It does not require running any software on your system, everything is happening from an external perspective.

    The following scans are server-side scans:

    * Hacker Exposure Check
    * Windows Vulnerability Check
    * Trojan Horse Check

    ActiveX support is not required to run the server-side scans.

    The second method is to download and run software directly on your computer to determine security aspects that would be impossible to detect from a server-side only scan. This type of scan is called a client-side scan. For example, it would not be possible to detect whether your computer has antivirus software installed from a server-side scan where a client-side scan can detect this.

    The following scans are client-side scans:

    * Antivirus Product Check
    * Virus Protection Update Check
    * Virus Detection

    ActiveX support is required to run the client-side scans.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #13
    Member
    Join Date
    Apr 2003
    Posts
    95
    The following scans are client-side scans:

    * Antivirus Product Check
    * Virus Protection Update Check
    * Virus Detection

    Whats the beting Nortan antivirus comes out at the top?

  4. #14
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I got my results back.... I had 1 high, 1 medium, 6 low and 6 other.


    4. Vulnerability Title Summary
    Low Risk Vulnerabilities
    11935 General : IPSEC IKE detection
    11919 General : HMAP
    11919 General : HMAP
    11765 Windows : scan for UPNP/Tcp hosts
    10287 Misc. : Traceroute
    10267 General : SSH Server type and version

    Other Items to be Considered

    12053 General : Host FQDN
    11268 General : OS fingerprint
    10881 General : SSH protocol versions supported
    10330 Misc. : Services
    10330 Misc. : Services
    10330 Misc. : Services


    5. Vulnerability Details

    11935 General: IPSEC IKE detection
    Description
    isakmp (500/udp)
    The remote host seems to be enabled to do Internet Key
    Exchange. This is typically indicative of a VPN server.
    VPN servers are used to connect remote hosts into internal
    resources. In addition, The remote host seems to be configured
    to force all communications across port 500 for both the source and
    destination port. That is, we sent the machine a packet from a random
    port greater than 1024. The machine sent the reply back to port 500.

    NOTE: This sort of behavior has been observed on Microsoft machines.

    Solution: You should ensure that:
    1) The VPN is authorized for your Companies computing environment
    2) The VPN utilizes strong encryption
    3) The VPN utilizes strong authentication

    Risk factor : Low

    11919 General: HMAP

    Description
    http (80/tcp)
    Nessus was not able to reliably identify this server. It might be:
    Kazaa servent (not a real web server)
    The fingerprint differs from these known signatures on 7 point(s)



    This script tries to identify the HTTP Server type and version by
    sending more or less incorrect requests.

    An attacker may use this to identify the kind of the remote web server
    and gain further knowledge about this host.

    Suggestions for defense against fingerprinting are presented in
    http://acsac.org/2002/abstracts/96.html

    See also : http://ujeni.murkyroc.com/hmap/
    http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf

    Risk factor : Low


    11919 General: HMAP

    Description
    unknown (5000/tcp)
    Nessus was not able to reliably identify this server. It might be:
    webfs/1.20
    The fingerprint differs from these known signatures on 5 point(s)



    This script tries to identify the HTTP Server type and version by
    sending more or less incorrect requests.

    An attacker may use this to identify the kind of the remote web server
    and gain further knowledge about this host.

    Suggestions for defense against fingerprinting are presented in
    http://acsac.org/2002/abstracts/96.html

    See also : http://ujeni.murkyroc.com/hmap/
    http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf

    Risk factor : Low



    11765 Windows: scan for UPNP/Tcp hosts

    Description
    unknown (5000/tcp)

    The remote host is running Microsoft UPnP TCP helper.

    If the tested network is not a home network, you should disable
    this service.

    Solution : Set the following registry key :
    Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
    Key : Start
    Value : 0x04


    Risk Factor : Low
    CVE : CVE-2001-0876
    BID : 3723

    CVE Description
    Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.

    Related Security Advisory Cross Reference(s)
    BugTraq ID: 3723
    Common Vulnerability Exposure (CVE) ID: CVE-2001-0876
    Bugtraq: 20011220 Multiple Remote Windows XP/ME/98 Vulnerabilities (Google Search)
    Microsoft Security Bulletin: MS01-059
    Cert/CC Advisory: CA-2001-37
    CERT/CC vulnerability note: VU#951555
    XForce ISS Database: win-upnp-notify-bo(7721)


    10287 Misc.: Traceroute

    Description
    general/udp
    For your information, here is the traceroute to 6x.95.x.x :
    69.28.227.212
    69.28.226.193
    216.187.68.5
    216.187.68.69
    216.187.68.229
    216.187.68.58
    208.174.225.229
    208.175.10.97
    206.24.194.100
    206.24.207.178
    206.24.194.39
    208.173.135.186
    206.108.103.193
    206.108.99.189
    6x.230.x.x
    6x.230.x.x
    6x.230.x.x
    6x.230.x.x
    6x.95.x.x


    Makes a traceroute to the remote host.

    Risk factor : Low

    Additional Information:
    Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.

    This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.


    10267 General: SSH Server type and version

    Description
    unknown (12345/tcp)
    Remote SSH version : SSH-2.0-OpenSSH_3.8p1

    This detects the SSH Server's type and version by connecting to the server
    and processing the buffer received.
    This information gives potential attackers additional information about the
    system they are attacking. Versions and Types should be omitted
    where possible.

    Solution: Apply filtering to disallow access to this port from untrusted hosts

    Risk factor : Low

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.


    12053 General: Host FQDN

    Description
    general/tcp
    6x.95.x.x resolves as Toronto-HSE-pppXXXXXXXX.sympatico.ca.


    This plugin writes the host FQDN as it could be resolved in the report.
    There is no security issue associated to it.

    Risk factor : None


    11268 General: OS fingerprint

    Description
    general/tcp
    Remote OS guess : Windows XP Professional RC1+ through final release

    CVE : CAN-1999-0454

    This plugin determines which operating system
    the remote host is running.

    Guessing the remote operating system allows
    an attacker to make more focuses attacks and
    to achieve his goal more quickly
    This plugin uses the code from Nmap - see www.nmap.org
    Risk factor : None

    CVE Description
    A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

    Related Security Advisory Cross Reference(s)
    Common Vulnerability Exposure (CVE) ID: CAN-1999-0454

    10881 General: SSH protocol versions supported

    Description
    unknown (12345/tcp)
    The remote SSH daemon supports the following versions of the
    SSH protocol :

    . 1.99
    . 2.0


    This plugin determines which versions of the SSH protocol
    the remote SSH daemon supports

    Risk factor : None

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    10330 Misc.: Services

    Description
    http (80/tcp)
    A web server is running on this port



    10330 Misc.: Services

    Description
    unknown (12345/tcp)
    An ssh server is running on this port




    10330 Misc.: Services

    Description
    unknown (5000/tcp)
    A web server is running on this port


    6. Open Ports on 6X.95.X.X

    Port
    Protocol
    Probable Service


    80
    TCP
    http


    It appears that you are running a web server. If you have not done so, we recommend that you run the latest version of a popular web server. Many "fringe market" web servers have known bugs that are slow to be fixed because few people care about the problems. These problems can often leave you open to someone accessing/modifying files on your system that they shouldn't. By running a popular web server, you lower the risk of this type of problem, and when problems are found, it is likely that a patch will be made available rapidly to fix the problem. Check our survey to see what the most popular web servers are.

    5000
    TCP
    fics

    No description available for this port at this time.

    12345
    TCP
    NetBus

    It appears that you may have NetBus installed on your system. NetBus is a popular trojan that allows for remote administration of your system. Although it may be used legitimately in some instances, if you didn't a) install it; or b) install something simulates NetBus, we strongly recommend you remove it.

    To remove it, run the NetBus-client (NetBus.exe) yourself, connect to locahost, choose "Server admin" and click on the "Remove server" button. Alternatively, go out and buy some good virus removal software (such as Norton's AntiVirus) and have it remove it for you.

    Number of open ports found by port scan:3
    I find it quite humerous because they stated earlier that port 12345 was ssh and now in my port scan results they are saying that port 12345 is Netbus. I also find it odd that they never found port 31337 which is TCP and is open running an apache webserver. I'm trying to think right now if my XP box is in a DMZ and that's why it found it as the OS, but last time I checked I didn't have anything on the DMZ. Also it found SSH (and should have found Apache) both running on Trustix, that should at least make it slightly more interesting. If I hear any more from them when they do the high level security risks I'll let ya'll know..

    Peace,
    HT

  5. #15
    Member
    Join Date
    Apr 2003
    Posts
    95
    Ok first off it took 2 hours and 5 mins to complete.

    This is a home use family computer running Win2k Pro with Zone Alarm firewall (up to date) and AVG antivirus (Up to date 4 days ago)

    First off we have 1 low risk and 1 other, the low was in the misc. catogory and the other was in the general catogory.

    Low Risk vuln:
    10287 Misc.: Traceroute
    Description
    general/udp
    For your information, here is the traceroute to **.***.***.*** :
    69.28.227.212
    69.28.226.193
    216.187.68.5
    216.187.68.69
    216.187.68.93
    216.187.90.45
    216.187.123.234
    216.187.123.226
    206.223.115.44
    166.49.208.217
    166.49.164.73
    166.49.208.70
    166.49.168.38
    194.72.17.81
    195.99.120.206
    194.72.0.198
    81.146.244.40
    213.120.155.145
    ?


    Makes a traceroute to the remote host.

    Risk factor : Low

    Additional Information:
    Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.

    This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.


    *my ip does NOT appear in this list anywhere*

    Next the "other" security risk:

    12053 General: Host FQDN
    Description
    general/tcp
    **.***.***.*** resolves as host**-***-***-***.range**-***.btcentralplus.com.

    ^Above line edited however it was my address that appeared^

    This plugin writes the host FQDN as it could be resolved in the report.
    There is no security issue associated to it.

    Risk factor : None <--So im running free then?

    Number of open ports found by port scan:0

    While having 0 ports open is very good, you should be aware that this does not guarantee you are secure. You need to consider the following items:

    * The port scan did not include UDP ports
    * Vulnerabilities such as trojans that "phone home" cannot be detected by a port scan
    * You may not be protected from email viruses

    Unfortunatly this only being a Home computer there are not many ports open (However there were when this scan was done some less common prots open) it is not much of a test but it still failed to pick up on several security risks that i am already aware of. after reading this thread i have no confidence in the reliability of this scan

  6. #16
    Dead Man Walking
    Join Date
    Jan 2003
    Posts
    810
    I got the tracerout volnurability and the fqdn. I have a siemens speedstream router. it was a windowsXP box with all the recent updates. Its kinda suprising realy seeing as how port 80 is open and i have an apache web server running w/ permisions to be acsessed from the outside at the router. I figured that would have turned up atleast something related. I havent patched the server since install so there has to be a vuln for it.

  7. #17
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    They have "Private" and "reserved" confused. IIRC the 8x.x.x.x addresses were reserved until fairly recently (I've seen a lot of south american addresses in the 8x range). Until recently though, they were considered reserved and kept from active assignment.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #18
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok, sorry for the delay..... Long day rescuing a homing pigeon with a damaged wing, trying to locate it's owner, failing, taking it to the vet, buying a new grill, assembling it..... correctly too!!! Well, it didn't explode yet....

    The first test was run against this machine, WinXP SP1, missing the most recent patches, (Apr 2004), but "protected" by a Linksys router with a WAP.... (and a couple of pints of beer... ). They report zero ports open but claim that there is a "low" and a point of note. The low is that they can tracert the machine to a point short of the IP address itself.... The point of note is that they can determine the FQDN.

    I'm not going to comment yet on the "vulnerabilities".

    Right now the scan against this machine in the DMZ of the router is taking place. Technically I'm unprotected....

    Out of curiosity I will leave the machine in the DMZ and install the FTP server I have on the work machine and see what it says..... Then I'll put the Linksys back in the way and open a single port to the FTP server and see what happens. It'll probably take another day or two to complete otherwise I will have to sit here in the pub for several hours and there will be a really pissy lady waiting for me at home if I try it all today.....

    The "wide open" scan is nearly finished.... I'll report that next.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Here's the report for a machine I have done nothing to secure that I placed "out there", (same box as above)

    11935 General: IPSEC IKE detection
    Description
    isakmp (500/udp)
    The remote host seems to be enabled to do Internet Key
    Exchange. This is typically indicative of a VPN server.
    VPN servers are used to connect remote hosts into internal
    resources. In addition, The remote host seems to be configured
    to force all communications across port 500 for both the source and
    destination port. That is, we sent the machine a packet from a random
    port greater than 1024. The machine sent the reply back to port 500.

    NOTE: This sort of behavior has been observed on Microsoft machines.

    Solution: You should ensure that:
    1) The VPN is authorized for your Companies computing environment
    2) The VPN utilizes strong encryption
    3) The VPN utilizes strong authentication

    Risk factor : Low


    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    11919 General: HMAP
    Description
    unknown (5000/tcp)
    Nessus was not able to reliably identify this server. It might be:
    webfs/1.20
    The fingerprint differs from these known signatures on 5 point(s)



    This script tries to identify the HTTP Server type and version by
    sending more or less incorrect requests.

    An attacker may use this to identify the kind of the remote web server
    and gain further knowledge about this host.

    Suggestions for defense against fingerprinting are presented in
    http://acsac.org/2002/abstracts/96.html

    See also : http://ujeni.murkyroc.com/hmap/
    http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf

    Risk factor : Low

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    11765 Windows: scan for UPNP/Tcp hosts
    Description
    unknown (5000/tcp)

    The remote host is running Microsoft UPnP TCP helper.

    If the tested network is not a home network, you should disable
    this service.

    Solution : Set the following registry key :
    Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
    Key : Start
    Value : 0x04


    Risk Factor : Low
    CVE : CVE-2001-0876
    BID : 3723


    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    CVE Description
    Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.

    Related Security Advisory Cross Reference(s)
    BugTraq ID: 3723
    Common Vulnerability Exposure (CVE) ID: CVE-2001-0876
    Bugtraq: 20011220 Multiple Remote Windows XP/ME/98 Vulnerabilities (Google Search)
    Microsoft Security Bulletin: MS01-059
    Cert/CC Advisory: CA-2001-37
    CERT/CC vulnerability note: VU#951555
    XForce ISS Database: win-upnp-notify-bo(7721)


    Edit Disposition
    Corrected False Positive Non-Impacting Other
    11157 Backdoors: Trojan horses
    Description
    unknown (1025/tcp)
    An unknown service runs on this port.
    It is sometimes opened by this/these Trojan horse(s):
    Fraggle Rock
    md5 Backdoor
    NetSpy
    Remote Storm

    Unless you know for sure what is behind it, you'd better
    check your system

    *** Anyway, don't panic, Nessus only found an open port. It may
    *** have been dynamically allocated to some service (RPC...)

    Solution: if a trojan horse is running, run a good antivirus scanner
    Risk factor : Low


    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10884 General: NTP read variables
    Description
    ntp (123/udp)

    A NTP (Network Time Protocol) server is listening on this port.

    Risk factor : Low


    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10859 Windows: SMB get host SID
    Description
    microsoft-ds (445/tcp)
    The host Security Identifier (SID) can be obtained remotely. Its value is :

    XXXXXLAPTOP : 5-21--1250595799--151089796-444131745

    An attacker can use it to obtain the list of the local users of this host
    Solution : filter the ports 137-139 and 445
    Risk factor : Low

    CVE : CVE-2000-1200
    BID : 959


    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2002, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2001, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    CVE Description
    Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.

    Related Security Advisory Cross Reference(s)
    BugTraq ID: 959
    Common Vulnerability Exposure (CVE) ID: CVE-2000-1200
    Bugtraq: 20000201 Windows NT and account list leak ! A new SID usage (Google Search)
    XForce ISS Database: nt-lsa-domain-sid(4015)


    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10785 Windows: SMB NativeLanMan
    Description
    microsoft-ds (445/tcp)
    The remote native lan manager is : Windows 2000 LAN Manager
    The remote Operating System is : Windows 5.1
    The remote SMB Domain Name is : XXXXXX



    This plugin attempts to determine what is the
    remote native lan manager name (Samba, Windows...).

    Risk factor : Low

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10398 Windows: SMB get domain SID
    Description
    microsoft-ds (445/tcp)
    The domain SID can be obtained remotely. Its value is :

    XXXXXX : 5-21-1659004503-1957994488-1060284298

    An attacker can use it to obtain the list of the local users of this host
    Solution : filter the ports 137 to 139 and 445
    Risk factor : Low

    CVE : CVE-2000-1200
    BID : 959


    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2002, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2001, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    CVE Description
    Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.

    Related Security Advisory Cross Reference(s)
    BugTraq ID: 959
    Common Vulnerability Exposure (CVE) ID: CVE-2000-1200
    Bugtraq: 20000201 Windows NT and account list leak ! A new SID usage (Google Search)
    XForce ISS Database: nt-lsa-domain-sid(4015)


    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10397 Windows: SMB LanMan Pipe Server browse listing
    Description
    microsoft-ds (445/tcp)
    Here is the browse list of the remote host :

    XXXXXLAPTOP -


    This is potentially dangerous as this may help the attack
    of a potential hacker by giving him extra targets to check for

    Solution : filter incoming traffic to this port
    Risk factor : Low



    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10287 Misc.: Traceroute
    Description
    general/udp
    For your information, here is the traceroute to 68.248.39.14 :
    69.28.227.212
    69.28.226.193
    216.187.68.5
    216.187.68.69
    216.187.68.229
    216.187.68.58
    206.223.119.79
    151.164.188.161
    151.164.191.177
    151.164.241.42
    151.164.188.30
    151.164.242.38
    XXX.XX.70.113
    XXX.XX.70.235
    XXX.XX.39.14


    Makes a traceroute to the remote host.

    Risk factor : Low

    Additional Information:
    Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.
    This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.


    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10201 General: Relative IP Identification number change
    Description
    general/tcp

    The remote host uses non-random IP IDs, that is, it is
    possible to predict the next value of the ip_id field of
    the ip packets sent by this host.

    An attacker may use this feature to determine traffic patterns
    within your network. A few examples (not at all exhaustive) are:

    1. A remote attacker can determine if the remote host sent a packet
    in reply to another request. Specifically, an attacker can use your
    server as an unwilling participant in a blind portscan of another
    network.

    2. A remote attacker can roughly determine server requests at certain
    times of the day. For instance, if the server is sending much more
    traffic after business hours, the server may be a reverse proxy or
    other remote access device. An attacker can use this information to
    concentrate his/her efforts on the more critical machines.

    3. A remote attacker can roughly estimate the number of requests that
    a web server processes over a period of time.


    Solution : Contact your vendor for a patch
    Risk factor : Low


    Additional Information:
    The only known vulnerability regarding this doesn't affect your network as much as it allows someone to use your machine to assist a malicious hacker in port scanning a third party.
    The way it works is this: The hacker sends an innocuous packet to your server, to which you respond, providing the IP_ID value. The hacker then sends a spoofed packet to the maching being scanned, faking the origin to make it look like it came from you. Depending on whether or not the target system's port is open, it responds (or not) to YOU, because it thinks the packet came from you. If it responds back, YOU respond back to it. Now, the hacker sends another packet to you, and you respond back with the IP_ID. In this entire scenario, you will have sent either 2 packets, or 3, depending on the state of the scanned system, and the hacker will be able to tell this by the values of the IP_ID field. Note, this really only works if the system "cooperating" in the scan (yours) is not busy. A busy server will generate too much traffic and can prevent reliable IP_ID counts from being determined.


    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10114 Firewalls: icmp timestamp request
    Description
    general/icmp

    The remote host answers to an ICMP timestamp request. This allows an attacker
    to know the date which is set on your machine.

    This may help him to defeat all your time based authentication protocols.

    Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
    timestamp replies (14).

    Risk factor : Low
    CVE : CAN-1999-0524


    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    CVE Description
    ICMP information such as netmask and timestamp is allowed from arbitrary hosts.

    Related Security Advisory Cross Reference(s)
    Common Vulnerability Exposure (CVE) ID: CAN-1999-0524


    Edit Disposition
    Corrected False Positive Non-Impacting Other
    12053 General: Host FQDN
    Description
    general/tcp
    XXX.XX.39.14 resolves as whereIdrinkafewbeers.com


    This plugin writes the host FQDN as it could be resolved in the report.
    There is no security issue associated to it.

    Risk factor : None

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    11268 General: OS fingerprint
    Description
    general/tcp
    Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP

    CVE : CAN-1999-0454

    This plugin determines which operating system
    the remote host is running.

    Guessing the remote operating system allows
    an attacker to make more focuses attacks and
    to achieve his goal more quickly
    This plugin uses the code from Nmap - see www.nmap.org
    Risk factor : None

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    CVE Description
    A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

    Related Security Advisory Cross Reference(s)
    Common Vulnerability Exposure (CVE) ID: CAN-1999-0454


    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10330 Misc.: Services
    Description
    unknown (5000/tcp)
    A web server is running on this port


    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other

    6. Open Ports on XXX.XX.39.14


    Port Protocol Probable Service

    139 TCP netbios-ssn
    Port 139 is used on Windows machines for NetBios name resolution, WINS, etc. A problem with older unpatched versions of Windows is that they are susceptible to receipt of Out-Of-Band (OOB) data. This means that someone can remotely send you OOB data on port 139 and can cause numerous problems on your machine, including but not limited to machine lockups, blue screens, loss of internet connection.
    You should do one of several things: a) upgrade/patch your operating system to make sure it is not susceptible to this attack; b) firewall your system so that port 139 is not visible from the internet c) configure your router to block port 139; d) Install one of several monitoring packages on your PC that block this denial of service.


    445 TCP microsoft-ds
    This service, used in Windows 2000, provides an alternative to NetBIOS name resolution. By default, both NetBIOS and direct hosting support are enabled during install time. No exploits or vulnerabilities are known at this point in time concerning this service. Nevertheless, we recommend that you treat this service the same way as NetBIOS: a) firewall the system, and/or b) configure your router to block port 445.

    1025 TCP listen
    No description available for this port at this time.

    5000 TCP fics
    No description available for this port at this time.
    Hmm.... I'm not as "vulnerable" as I thought..... and they really didn't sensationalize an unprotected box...... Installing and FTP server..... Then we'll see what happens....

    [Edit]

    Hmmm... I installed the FTP server, forwarded the port, (I figured I'd do it before going back to the DMZ immediately), and retried the scan.... Error message was "you have already run a scan against this address already this _month_.... OOOPs...... I disconnected from the ISP and reconnected..... It's running now.... I hope it doesn't take too long or I might have to quit and try again tomorrow.... (it's that pissy lady thing rearing it's ugly head..... <LOL>)

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    XP Home box with all updates/patches, behind a Linksys 802.11g router:

    No open ports, 1 low Miscellaneous (Traceroute), 1 other General (Host FQDN) "vulnerability".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •