just a question. but what do you guys think about www.norton.com online vulnerability scan? I used it and it worked alright for me.
Printable View
just a question. but what do you guys think about www.norton.com online vulnerability scan? I used it and it worked alright for me.
You mean SecurityCheck? Pretty sucky since I got this error:
That's an interesting statement IMHO and seems to limit the scans through whatever is achieved with the browser. Specifically browsers that support ActiveX.Quote:
Error 001
Security Scan and Virus Detection do not work with your operating system. To run Security Scan and Virus Detection, you must be using Windows 98/ME, NT 4.0 Workstation/2000 Pro/XP, or Mac OS 8.1 or higher.
Quote:
Our web site consists of two methods that identify security risks on your computer.
The first method is to scan your computer from our server. This is called a server-side scan. It does not require running any software on your system, everything is happening from an external perspective.
The following scans are server-side scans:
* Hacker Exposure Check
* Windows Vulnerability Check
* Trojan Horse Check
ActiveX support is not required to run the server-side scans.
The second method is to download and run software directly on your computer to determine security aspects that would be impossible to detect from a server-side only scan. This type of scan is called a client-side scan. For example, it would not be possible to detect whether your computer has antivirus software installed from a server-side scan where a client-side scan can detect this.
The following scans are client-side scans:
* Antivirus Product Check
* Virus Protection Update Check
* Virus Detection
ActiveX support is required to run the client-side scans.
Whats the beting Nortan antivirus comes out at the top?Quote:
The following scans are client-side scans:
* Antivirus Product Check
* Virus Protection Update Check
* Virus Detection
Hey Hey,
I got my results back.... I had 1 high, 1 medium, 6 low and 6 other.
I find it quite humerous because they stated earlier that port 12345 was ssh and now in my port scan results they are saying that port 12345 is Netbus. I also find it odd that they never found port 31337 which is TCP and is open running an apache webserver. I'm trying to think right now if my XP box is in a DMZ and that's why it found it as the OS, but last time I checked I didn't have anything on the DMZ. Also it found SSH (and should have found Apache) both running on Trustix, that should at least make it slightly more interesting. If I hear any more from them when they do the high level security risks I'll let ya'll know..Quote:
4. Vulnerability Title Summary
Low Risk Vulnerabilities
11935 General : IPSEC IKE detection
11919 General : HMAP
11919 General : HMAP
11765 Windows : scan for UPNP/Tcp hosts
10287 Misc. : Traceroute
10267 General : SSH Server type and version
Other Items to be Considered
12053 General : Host FQDN
11268 General : OS fingerprint
10881 General : SSH protocol versions supported
10330 Misc. : Services
10330 Misc. : Services
10330 Misc. : Services
5. Vulnerability Details
11935 General: IPSEC IKE detection
Description
isakmp (500/udp)
The remote host seems to be enabled to do Internet Key
Exchange. This is typically indicative of a VPN server.
VPN servers are used to connect remote hosts into internal
resources. In addition, The remote host seems to be configured
to force all communications across port 500 for both the source and
destination port. That is, we sent the machine a packet from a random
port greater than 1024. The machine sent the reply back to port 500.
NOTE: This sort of behavior has been observed on Microsoft machines.
Solution: You should ensure that:
1) The VPN is authorized for your Companies computing environment
2) The VPN utilizes strong encryption
3) The VPN utilizes strong authentication
Risk factor : Low
11919 General: HMAP
Description
http (80/tcp)
Nessus was not able to reliably identify this server. It might be:
Kazaa servent (not a real web server)
The fingerprint differs from these known signatures on 7 point(s)
This script tries to identify the HTTP Server type and version by
sending more or less incorrect requests.
An attacker may use this to identify the kind of the remote web server
and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html
See also : http://ujeni.murkyroc.com/hmap/
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
Risk factor : Low
11919 General: HMAP
Description
unknown (5000/tcp)
Nessus was not able to reliably identify this server. It might be:
webfs/1.20
The fingerprint differs from these known signatures on 5 point(s)
This script tries to identify the HTTP Server type and version by
sending more or less incorrect requests.
An attacker may use this to identify the kind of the remote web server
and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html
See also : http://ujeni.murkyroc.com/hmap/
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
Risk factor : Low
11765 Windows: scan for UPNP/Tcp hosts
Description
unknown (5000/tcp)
The remote host is running Microsoft UPnP TCP helper.
If the tested network is not a home network, you should disable
this service.
Solution : Set the following registry key :
Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
Key : Start
Value : 0x04
Risk Factor : Low
CVE : CVE-2001-0876
BID : 3723
CVE Description
Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.
Related Security Advisory Cross Reference(s)
BugTraq ID: 3723
Common Vulnerability Exposure (CVE) ID: CVE-2001-0876
Bugtraq: 20011220 Multiple Remote Windows XP/ME/98 Vulnerabilities (Google Search)
Microsoft Security Bulletin: MS01-059
Cert/CC Advisory: CA-2001-37
CERT/CC vulnerability note: VU#951555
XForce ISS Database: win-upnp-notify-bo(7721)
10287 Misc.: Traceroute
Description
general/udp
For your information, here is the traceroute to 6x.95.x.x :
69.28.227.212
69.28.226.193
216.187.68.5
216.187.68.69
216.187.68.229
216.187.68.58
208.174.225.229
208.175.10.97
206.24.194.100
206.24.207.178
206.24.194.39
208.173.135.186
206.108.103.193
206.108.99.189
6x.230.x.x
6x.230.x.x
6x.230.x.x
6x.230.x.x
6x.95.x.x
Makes a traceroute to the remote host.
Risk factor : Low
Additional Information:
Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.
This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.
10267 General: SSH Server type and version
Description
unknown (12345/tcp)
Remote SSH version : SSH-2.0-OpenSSH_3.8p1
This detects the SSH Server's type and version by connecting to the server
and processing the buffer received.
This information gives potential attackers additional information about the
system they are attacking. Versions and Types should be omitted
where possible.
Solution: Apply filtering to disallow access to this port from untrusted hosts
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
12053 General: Host FQDN
Description
general/tcp
6x.95.x.x resolves as Toronto-HSE-pppXXXXXXXX.sympatico.ca.
This plugin writes the host FQDN as it could be resolved in the report.
There is no security issue associated to it.
Risk factor : None
11268 General: OS fingerprint
Description
general/tcp
Remote OS guess : Windows XP Professional RC1+ through final release
CVE : CAN-1999-0454
This plugin determines which operating system
the remote host is running.
Guessing the remote operating system allows
an attacker to make more focuses attacks and
to achieve his goal more quickly
This plugin uses the code from Nmap - see www.nmap.org
Risk factor : None
CVE Description
A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.
Related Security Advisory Cross Reference(s)
Common Vulnerability Exposure (CVE) ID: CAN-1999-0454
10881 General: SSH protocol versions supported
Description
unknown (12345/tcp)
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.99
. 2.0
This plugin determines which versions of the SSH protocol
the remote SSH daemon supports
Risk factor : None
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
10330 Misc.: Services
Description
http (80/tcp)
A web server is running on this port
10330 Misc.: Services
Description
unknown (12345/tcp)
An ssh server is running on this port
10330 Misc.: Services
Description
unknown (5000/tcp)
A web server is running on this port
6. Open Ports on 6X.95.X.X
Port
Protocol
Probable Service
80
TCP
http
It appears that you are running a web server. If you have not done so, we recommend that you run the latest version of a popular web server. Many "fringe market" web servers have known bugs that are slow to be fixed because few people care about the problems. These problems can often leave you open to someone accessing/modifying files on your system that they shouldn't. By running a popular web server, you lower the risk of this type of problem, and when problems are found, it is likely that a patch will be made available rapidly to fix the problem. Check our survey to see what the most popular web servers are.
5000
TCP
fics
No description available for this port at this time.
12345
TCP
NetBus
It appears that you may have NetBus installed on your system. NetBus is a popular trojan that allows for remote administration of your system. Although it may be used legitimately in some instances, if you didn't a) install it; or b) install something simulates NetBus, we strongly recommend you remove it.
To remove it, run the NetBus-client (NetBus.exe) yourself, connect to locahost, choose "Server admin" and click on the "Remove server" button. Alternatively, go out and buy some good virus removal software (such as Norton's AntiVirus) and have it remove it for you.
Number of open ports found by port scan:3
Peace,
HT
Ok first off it took 2 hours and 5 mins to complete.
This is a home use family computer running Win2k Pro with Zone Alarm firewall (up to date) and AVG antivirus (Up to date 4 days ago)
First off we have 1 low risk and 1 other, the low was in the misc. catogory and the other was in the general catogory.
Low Risk vuln:
10287 Misc.: Traceroute
Description
general/udp
For your information, here is the traceroute to **.***.***.*** :
69.28.227.212
69.28.226.193
216.187.68.5
216.187.68.69
216.187.68.93
216.187.90.45
216.187.123.234
216.187.123.226
206.223.115.44
166.49.208.217
166.49.164.73
166.49.208.70
166.49.168.38
194.72.17.81
195.99.120.206
194.72.0.198
81.146.244.40
213.120.155.145
?
Makes a traceroute to the remote host.
Risk factor : Low
Additional Information:
Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.
This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.
*my ip does NOT appear in this list anywhere*
Next the "other" security risk:
12053 General: Host FQDN
Description
general/tcp
**.***.***.*** resolves as host**-***-***-***.range**-***.btcentralplus.com.
^Above line edited however it was my address that appeared^
This plugin writes the host FQDN as it could be resolved in the report.
There is no security issue associated to it.
Risk factor : None <--So im running free then?
Number of open ports found by port scan:0
While having 0 ports open is very good, you should be aware that this does not guarantee you are secure. You need to consider the following items:
* The port scan did not include UDP ports
* Vulnerabilities such as trojans that "phone home" cannot be detected by a port scan
* You may not be protected from email viruses
Unfortunatly this only being a Home computer there are not many ports open (However there were when this scan was done some less common prots open) it is not much of a test but it still failed to pick up on several security risks that i am already aware of. after reading this thread i have no confidence in the reliability of this scan
I got the tracerout volnurability and the fqdn. I have a siemens speedstream router. it was a windowsXP box with all the recent updates. Its kinda suprising realy seeing as how port 80 is open and i have an apache web server running w/ permisions to be acsessed from the outside at the router. I figured that would have turned up atleast something related. I havent patched the server since install so there has to be a vuln for it.
They have "Private" and "reserved" confused. IIRC the 8x.x.x.x addresses were reserved until fairly recently (I've seen a lot of south american addresses in the 8x range). Until recently though, they were considered reserved and kept from active assignment.
Ok, sorry for the delay..... Long day rescuing a homing pigeon with a damaged wing, trying to locate it's owner, failing, taking it to the vet, buying a new grill, assembling it..... correctly too!!! Well, it didn't explode yet.... :D
The first test was run against this machine, WinXP SP1, missing the most recent patches, (Apr 2004), but "protected" by a Linksys router with a WAP.... (and a couple of pints of beer... :cool:). They report zero ports open but claim that there is a "low" and a point of note. The low is that they can tracert the machine to a point short of the IP address itself.... The point of note is that they can determine the FQDN.
I'm not going to comment yet on the "vulnerabilities".
Right now the scan against this machine in the DMZ of the router is taking place. Technically I'm unprotected....
Out of curiosity I will leave the machine in the DMZ and install the FTP server I have on the work machine and see what it says..... Then I'll put the Linksys back in the way and open a single port to the FTP server and see what happens. It'll probably take another day or two to complete otherwise I will have to sit here in the pub for several hours and there will be a really pissy lady waiting for me at home if I try it all today..... :eek:
The "wide open" scan is nearly finished.... I'll report that next.
Here's the report for a machine I have done nothing to secure that I placed "out there", (same box as above)
Hmm.... I'm not as "vulnerable" as I thought..... and they really didn't sensationalize an unprotected box...... Installing and FTP server..... Then we'll see what happens....Quote:
11935 General: IPSEC IKE detection
Description
isakmp (500/udp)
The remote host seems to be enabled to do Internet Key
Exchange. This is typically indicative of a VPN server.
VPN servers are used to connect remote hosts into internal
resources. In addition, The remote host seems to be configured
to force all communications across port 500 for both the source and
destination port. That is, we sent the machine a packet from a random
port greater than 1024. The machine sent the reply back to port 500.
NOTE: This sort of behavior has been observed on Microsoft machines.
Solution: You should ensure that:
1) The VPN is authorized for your Companies computing environment
2) The VPN utilizes strong encryption
3) The VPN utilizes strong authentication
Risk factor : Low
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
11919 General: HMAP
Description
unknown (5000/tcp)
Nessus was not able to reliably identify this server. It might be:
webfs/1.20
The fingerprint differs from these known signatures on 5 point(s)
This script tries to identify the HTTP Server type and version by
sending more or less incorrect requests.
An attacker may use this to identify the kind of the remote web server
and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html
See also : http://ujeni.murkyroc.com/hmap/
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
Risk factor : Low
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
11765 Windows: scan for UPNP/Tcp hosts
Description
unknown (5000/tcp)
The remote host is running Microsoft UPnP TCP helper.
If the tested network is not a home network, you should disable
this service.
Solution : Set the following registry key :
Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
Key : Start
Value : 0x04
Risk Factor : Low
CVE : CVE-2001-0876
BID : 3723
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.
Related Security Advisory Cross Reference(s)
BugTraq ID: 3723
Common Vulnerability Exposure (CVE) ID: CVE-2001-0876
Bugtraq: 20011220 Multiple Remote Windows XP/ME/98 Vulnerabilities (Google Search)
Microsoft Security Bulletin: MS01-059
Cert/CC Advisory: CA-2001-37
CERT/CC vulnerability note: VU#951555
XForce ISS Database: win-upnp-notify-bo(7721)
Edit Disposition
Corrected False Positive Non-Impacting Other
11157 Backdoors: Trojan horses
Description
unknown (1025/tcp)
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Fraggle Rock
md5 Backdoor
NetSpy
Remote Storm
Unless you know for sure what is behind it, you'd better
check your system
*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10884 General: NTP read variables
Description
ntp (123/udp)
A NTP (Network Time Protocol) server is listening on this port.
Risk factor : Low
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10859 Windows: SMB get host SID
Description
microsoft-ds (445/tcp)
The host Security Identifier (SID) can be obtained remotely. Its value is :
XXXXXLAPTOP : 5-21--1250595799--151089796-444131745
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2002, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2001, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.
Related Security Advisory Cross Reference(s)
BugTraq ID: 959
Common Vulnerability Exposure (CVE) ID: CVE-2000-1200
Bugtraq: 20000201 Windows NT and account list leak ! A new SID usage (Google Search)
XForce ISS Database: nt-lsa-domain-sid(4015)
Edit Disposition
Corrected False Positive Non-Impacting Other
10785 Windows: SMB NativeLanMan
Description
microsoft-ds (445/tcp)
The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.1
The remote SMB Domain Name is : XXXXXX
This plugin attempts to determine what is the
remote native lan manager name (Samba, Windows...).
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10398 Windows: SMB get domain SID
Description
microsoft-ds (445/tcp)
The domain SID can be obtained remotely. Its value is :
XXXXXX : 5-21-1659004503-1957994488-1060284298
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2002, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2001, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.
Related Security Advisory Cross Reference(s)
BugTraq ID: 959
Common Vulnerability Exposure (CVE) ID: CVE-2000-1200
Bugtraq: 20000201 Windows NT and account list leak ! A new SID usage (Google Search)
XForce ISS Database: nt-lsa-domain-sid(4015)
Edit Disposition
Corrected False Positive Non-Impacting Other
10397 Windows: SMB LanMan Pipe Server browse listing
Description
microsoft-ds (445/tcp)
Here is the browse list of the remote host :
XXXXXLAPTOP -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10287 Misc.: Traceroute
Description
general/udp
For your information, here is the traceroute to 68.248.39.14 :
69.28.227.212
69.28.226.193
216.187.68.5
216.187.68.69
216.187.68.229
216.187.68.58
206.223.119.79
151.164.188.161
151.164.191.177
151.164.241.42
151.164.188.30
151.164.242.38
XXX.XX.70.113
XXX.XX.70.235
XXX.XX.39.14
Makes a traceroute to the remote host.
Risk factor : Low
Additional Information:
Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.
This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.
Edit Disposition
Corrected False Positive Non-Impacting Other
10201 General: Relative IP Identification number change
Description
general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Additional Information:
The only known vulnerability regarding this doesn't affect your network as much as it allows someone to use your machine to assist a malicious hacker in port scanning a third party.
The way it works is this: The hacker sends an innocuous packet to your server, to which you respond, providing the IP_ID value. The hacker then sends a spoofed packet to the maching being scanned, faking the origin to make it look like it came from you. Depending on whether or not the target system's port is open, it responds (or not) to YOU, because it thinks the packet came from you. If it responds back, YOU respond back to it. Now, the hacker sends another packet to you, and you respond back with the IP_ID. In this entire scenario, you will have sent either 2 packets, or 3, depending on the state of the scanned system, and the hacker will be able to tell this by the values of the IP_ID field. Note, this really only works if the system "cooperating" in the scan (yours) is not busy. A busy server will generate too much traffic and can prevent reliable IP_ID counts from being determined.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10114 Firewalls: icmp timestamp request
Description
general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
ICMP information such as netmask and timestamp is allowed from arbitrary hosts.
Related Security Advisory Cross Reference(s)
Common Vulnerability Exposure (CVE) ID: CAN-1999-0524
Edit Disposition
Corrected False Positive Non-Impacting Other
12053 General: Host FQDN
Description
general/tcp
XXX.XX.39.14 resolves as whereIdrinkafewbeers.com
This plugin writes the host FQDN as it could be resolved in the report.
There is no security issue associated to it.
Risk factor : None
Edit Disposition
Corrected False Positive Non-Impacting Other
11268 General: OS fingerprint
Description
general/tcp
Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP
CVE : CAN-1999-0454
This plugin determines which operating system
the remote host is running.
Guessing the remote operating system allows
an attacker to make more focuses attacks and
to achieve his goal more quickly
This plugin uses the code from Nmap - see www.nmap.org
Risk factor : None
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.
Related Security Advisory Cross Reference(s)
Common Vulnerability Exposure (CVE) ID: CAN-1999-0454
Edit Disposition
Corrected False Positive Non-Impacting Other
10330 Misc.: Services
Description
unknown (5000/tcp)
A web server is running on this port
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
6. Open Ports on XXX.XX.39.14
Port Protocol Probable Service
139 TCP netbios-ssn
Port 139 is used on Windows machines for NetBios name resolution, WINS, etc. A problem with older unpatched versions of Windows is that they are susceptible to receipt of Out-Of-Band (OOB) data. This means that someone can remotely send you OOB data on port 139 and can cause numerous problems on your machine, including but not limited to machine lockups, blue screens, loss of internet connection.
You should do one of several things: a) upgrade/patch your operating system to make sure it is not susceptible to this attack; b) firewall your system so that port 139 is not visible from the internet c) configure your router to block port 139; d) Install one of several monitoring packages on your PC that block this denial of service.
445 TCP microsoft-ds
This service, used in Windows 2000, provides an alternative to NetBIOS name resolution. By default, both NetBIOS and direct hosting support are enabled during install time. No exploits or vulnerabilities are known at this point in time concerning this service. Nevertheless, we recommend that you treat this service the same way as NetBIOS: a) firewall the system, and/or b) configure your router to block port 445.
1025 TCP listen
No description available for this port at this time.
5000 TCP fics
No description available for this port at this time.
[Edit]
Hmmm... I installed the FTP server, forwarded the port, (I figured I'd do it before going back to the DMZ immediately), and retried the scan.... Error message was "you have already run a scan against this address already this _month_.... OOOPs...... I disconnected from the ISP and reconnected..... It's running now.... I hope it doesn't take too long or I might have to quit and try again tomorrow.... (it's that pissy lady thing rearing it's ugly head..... <LOL>)
[/Edit]
XP Home box with all updates/patches, behind a Linksys 802.11g router:
No open ports, 1 low Miscellaneous (Traceroute), 1 other General (Host FQDN) "vulnerability".