Now I'm curious.... And I need your help....

Ok the full skinny,
Two xp home box's one fully patched one owned by teanage daughter status unknown. Behind netgear router nat enabled and acting as dhcp. Port forwarding from 7224 to 7226 for Bittorrent, running at time of scan.



No Risk Security Audit Synopsis

Report ID:
1100083285
Review Status:
Pending
Audit Queued:
Apr 17, 2004 12:04 GMT
Audit Started:
Apr 17, 2004 12:05 GMT
Audit Completed:
Apr 17, 2004 13:41 GMT
Host address(es):
xxxxxxxxxxxxxxxxx
Report Contents

1. Risk Classification Summary
2. Baseline Comparison Control
3. Vulnerability Category Summary
4. Vulnerability Title Summary
5. Vulnerability Details
6. Open Ports
7. Complete Report Order Form
Appendix A: Risk Definitions

1. Risk Classification Summary

Vulnerabilities are classified according to the risk they present to the network/host on which they are found. The following chart summarizes how the 1 different issues we found are spread across the different risk classes. For a detailed explanation of how vulnerabilities are classified, see Appendix A: Risk Definitions

2. Baseline Comparison Control

Baselining allows you to compare the results of an audit to the results received in a previous audit. This provides for an easy way to see what is changing from one audit to the next. This section documents which audit was used as a baseline, allows you to select a different audit to use as a baseline, and allows you to mark the current audit as something that should be used when running future baseline comparisons.
Note that you have a fair bit of control over the types of baseline comparison information displayed in your report by using our Report Style Editor. The default is to display ALL test results in your current report, along with notes as to which results are different from the previous report.

According to your current report style, baseline comparisons are:
Enabled
Comparisons have been done against the report:
Report ID:
Most recent audit in your account.
Make this audit a preferred baseline for use in comparing to other audits:

3. Vulnerability Category Summary

The vulnerability category summary shows how the various issues that were reported are distributed across the different test categories.


Category
High__
Med__
Low__
Other__
CGI abuses




Windows




Denial of Service




Gain root remotely




General




Misc.


1__

FTP




Gain a shell remotely




Remote file access




SMTP problems




Backdoors




CISCO




RPC




Default Unix Accounts




Firewalls




Windows : User management




Useless services




Peer-To-Peer File Sharing




SNMP




Finger abuses




Settings




Netware




Port scanners




NIS




Totals:
0__
0__
1__
0__
This report is a synopsis of a security audit done on your system. You had 0 High Risk and 0 Medium Risk vulnerabilities that were not disclosed in the above report. To view the details of these vulnerabilities and solutions to fix them, please subscribe to one of the services below.

Low Risk Vulnerabilities
_10287__Misc. : Traceroute
5. Vulnerability Details

10287_Misc.: Traceroute
Description
general/udp
For your information, here is the traceroute to xxxxxxxxxxx
69.28.227.212
69.28.226.193
216.187.68.5
216.187.68.69
216.187.68.229
216.187.68.58
65.207.236.177
152.63.71.210
152.63.70.106
152.63.64.57
204.255.174.238
144.232.20.90
144.232.26.109
144.232.9.157
144.232.13.181
144.232.13.16
160.81.43.102
213.200.81.117
213.200.77.130
212.74.106.97
?


Makes a traceroute to the remote host.

Risk factor : Low
Additional Information:
Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.
This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.

*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.

Edit Disposition
Corrected False Positive Non-Impacting Other
6. Open Ports on xxxxxxx



Number of open ports found by port scan:0
_
While having 0 ports open is very good, you should be aware that this does not guarantee you are secure. You need to consider the following items:
The port scan did not include UDP ports
Vulnerabilities such as trojans that "phone home" cannot be detected by a port scan
You may not be protected from email viruses
_
Appendix A: Risk Definitions

Users should note that test classifications are subjective, although we do our best to make appropriate classifications. If you spot an inconsistency, please let us know so that we can make the appropriate corrections.

Low Risk Vulnerabilities
We view these vulnerabilities as problems typically only if the information they provide or access granted can be used in conjunction with a one or more other vulnerabilities to compromise your system or network. These vulnerabilities are usually not problems in their own right, but could potentially lead to problems in conjunction with other services.


Jinxy

I did the test from a lan with freebsd 5.2 p4 (cvsup/buildworld on april 13) as a firewall, proxy with no services running on the external nic. They came up with the trace route "vuln" and picked up my donkey filesharing but did not identify it as such as i have it on a non standard port, they also came up with 1 medium risk vuln which they seem to want me too pay $ for (not gonna happen) but damn i am curious now :(

Hey Hey,

Apparently they weren't sure about my results so they made them viewable.

Here's my High and Medium Level Vulns.

Quote:

---

10059 Denial of Service: Domino HTTP Denial
Description
http (80/tcp)

It was possible to perform a denial of service against the remote
HTTP server by sending it a long /cgi-bin relative URL.

This problem allows an attacker to prevent your Lotus Domino web
server from handling requests.

Solution : contact your vendor for a patch, or change your server.
Consider changing cgi-bin mapping by something impossible to guess
in server document of primary Notes NAB.

Risk factor : Serious
CVE : CVE-2000-0023
BID : 881


*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.

CVE Description
Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL.

Related Security Advisory Cross Reference(s)
BugTraq ID: 881
Common Vulnerability Exposure (CVE) ID: CVE-2000-0023
Bugtraq: 19991221 serious Lotus Domino HTTP denial of service (Google Search)
Bugtraq: 19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround (Google Search)
Bugtraq: 19991227 Re: Lotus Domino HTTP denial of service attack (Google Search)


<Add Note>WorkSheet Notes

Edit Disposition
Corrected False Positive Non-Impacting Other
11047 Denial of Service: Jigsaw webserver MS/DOS device DoS
Description
http (80/tcp)
It was possible to crash the Jigsaw web
server by requesting /servlet/con about 30 times.

A cracker may use this attack to make this
service crash continuously.


Solution: upgrade your software

Risk factor : Medium
CVE : CAN-2002-1052
BID : 5258


*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.

CVE Description
Jigsaw 2.2.1 on Windows systems allows remote attackers to use MS-DOS device names in HTTP requests to (1) cause a denial of service using the "con" device, or (2) obtain the physical path of the server using two requests to the "aux" device.

Related Security Advisory Cross Reference(s)
BugTraq ID: 5258
Common Vulnerability Exposure (CVE) ID: CAN-2002-1052
Bugtraq: 20020717 KPMG-2002031: Jigsaw Webserver Path Disclosure (Google Search)
http://marc.theaimsgroup.com/?l=bugt...1753204392&w=2
http://archives.neohapsis.com/archiv...2-q3/0028.html
http://archives.neohapsis.com/archiv...2-q3/0031.html
Bugtraq: 20020717 KPMG-2002034: Jigsaw Webserver DOS device DoS (Google Search)
http://marc.theaimsgroup.com/?l=bugt...2936820193&w=2
http://www.securityfocus.com/bid/5258
http://www.iss.net/security_center/static/9587.php
http://www.iss.net/security_center/static/9586.php
BugTraq ID: 5251
http://www.securityfocus.com/bid/5251

---

Peace,
HT

Quote:

---

Hello,

A manual review of your audit results has been conducted
by SecuritySpace staff. As indicated by the current
report on-line, we were not able to find any High or
Medium Risk problems during the course of the audit.

Congratulations! We have marked the report as fully
viewable

---

The two probs the found were the traceroute wich doesnt even resolve all the way to my external IP. It stops one hop back.Of course that could be because i have my router set to drop ping packets and the like. The other one is the FQDn wich doesnt seem like a big deal to me. As mentioned in my previous post im running an unpatched apache webserver with the php module added. i do have the webserver acsessable from the outside. I glanced at the list of tests they do and it seems pretty comprehensive.

Running a linksys router and 2 computers behind it, one firewalled one not, I had 2 vulnerabilities. Tracert which doesnt seem like too big a deal to me and didnt actually resolve my ip. And FQDN which seems like more bs since they said this

Quote:

---

12053 General: Host FQDN
Description
general/tcp
XX.XX.XXX.XXX resolves as XXXXXXXX.
This plugin writes the host FQDN as it could be resolved in the report.
There is no security issue associated to it.
Risk factor : None

---

Why tell me its a risk and then continue to say there is no risk with it? Firewall is Tiny firewall with PCCillin AV. The Firewalled PC is a fully updated Windows XP home machine and the nonfirewalled is a halfway(prolly missing 15-20 critical patches) patched XP Pro machine.

Quote:

---

4. Vulnerability Title Summary
Low Risk Vulnerabilities
10287 Misc. : Traceroute
Other Items to be Considered
12053 General : Host FQDN

---

If you need the full report let me know. I would be glad to throw it into notepad

OK, I'm waiting for the results of the scan against this box, (WinXP, in DMZ of a linksys, no hardening and a proprietary FTP server added, same box as in the other two tests run during this thread. I don't think I want to go much further with this so I'll start with the questions.....

1. Moxnix: They said you had zero ports open..... but they say that you have an NTP server running..... Care to comment?

2. Ms M: Maybe I'm misunderstanding but you say that ports 1434, 135, 137, 139 and 445 were open to a non-existent box. They report nothing about the open ports but they found a DNS server... Any clue as to how?.... I can understand them not finding the WinX ports open since no response would imply it was firewalled.

3. HT: Trustix? What is it? Is it possible it shows as a WinX box? Were you in the DMZ. It never found your apache server on 31337 but it reported one on 80? Do you have Domino on that box..... Did it crash? They said "It _was_ possible".... That implies they tried it and it worked.... maybe I'm missing something but how can you determine that a box can be exploited without actually trying it, (other than version info etc. which they seem not to be able to provide).

4. Jinx: It missed 3 open ports, 7224-7226..... You sure they respond to any old connection attempt?

5. Zombie: They missed a port 80 HTTP server.... You mention permissions.... Do you permit by remote address..... 'cos then it wouldn't respond....

I got the results of my new scan with the FTP server added..... Two things that jumped out at me was that after seeing the results were:-

1. They found more OS issues than they found in the original "un-protected" scan before the FTP server install......

2. The thing that peeked my curiosity in the first place about this was that they couldn't ID the FTP server..... Well.... to be honest.... and I don't remember doing it.... I changed the banner to read "ftp.mydomain.com", 'cos the banner ID'ed this install with the exact name and version of the server.

I need a little time to look at the OS changes they found since I _only_ installed the FTP server before I summarize the results... that and get a couple of answers to the questions above......

It has been interesting so far.... They don't seem as bad as I first expected though I do have some "reservations" about their report/sales pitch..... I''ll look it over.... I'm not going to bother with the "protected but FTP open" scan.... I get the feeling that they will soon see me as abusing their system having had a couple of really "sales-heavy" emails from them.... ;)

Quote:

---

2. Ms M: Maybe I'm misunderstanding but you say that ports 1434, 135, 137, 139 and 445 were open to a non-existent box. They report nothing about the open ports but they found a DNS server... Any clue as to how?.... I can understand them not finding the WinX ports open since no response would imply it was firewalled.

---

Yup. I picked up there attempts to connect to those ports via Ettercap (it actually opened the connection). What's interesting is that 1) I don't have a firewall (just a little lame NetGear router that seems to be less lame now) 2) DNS isn't opened and there is NO dns server (save for the router perhaps acting as a "proxy dns" for NAT purposes but it's not deliberately open).

Quote:

---

1. Moxnix: They said you had zero ports open..... but they say that you have an NTP server running..... Care to comment?

---

I was running a XP Home laptop, 1.6 ghz AMD, Kereo firewall, and C.A. antivirus.....on dialup. There are no open ports, except when using IRC (which I wasn't at that time).
I have no idea what they are talking about with the NTP server. I don't have any servers running, and I don't even know what a NTP server would be for.

Quote:

---

These pages contain lists of Network Time Protocol (NTP) public time servers. They are provided for information purposes only and represent the best information available at the current date. The operators of the servers listed do not commit to provide time service other than on a volunteer basis and with no guarantee of accuracy or availability. Further information of a technical nature can be obtained from the www.ntp.org site or comp.protocols.time.ntp newsgroup.
http://www.eecis.udel.edu/~mills/ntp/servers.html

---

Quote:

---

NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to some time reference. NTP is an Internet standard protocol originally developed by Professor David L. Mills at the University of Delaware.
http://www.ntp.org/ntpfaq/NTP-s-def.htm

---

I can say, that I don't have a NTP server running on any of my equipment.

My system is Fedora Core 1 with latest kernel and updates.

42% of the vulns found were clasified low risk
57% were clasified other

Low Risk:

10287 Misc. : Traceroute
10263 General : SMTP Server type and version
10114 Firewalls : icmp timestamp request

Other:

12053 General : Host FQDN
11421 SMTP problems : smtpscan
11268 General : OS fingerprint
10330 Misc. : Services

10287 traceroute:
Does not reveal any ip address within my home network., only the gateway is seen.

10263
Sendmail likes to brag about who it is, telling everyone, I must learn to change this:
220 atapi103.domain.org ESMTP Sendmail 8.12.10/8.12.10

10114
My system responded to a ICMP timestamp request, Ive taken their advice and made changes to firestarter, my GUI to iptables.

12053
Host FQDN?
24.101.x.x resolves as CPE0080c6fe15a9-CM014480118888.domain.com.

This plugin writes the host FQDN as it could be resolved in the report.
There is no security issue associated to it.

11421 smtpscan:
This server could be fingerprinted as being Sendmail 8.11.2
Incorect, I run sendmail 8.12.10 as detected earlyer.

11268 (CVE : CAN-1999-0454)
Remote OS guess : Checkpoint SecurePlatform NG FP3
I must not be vulnerable because I run Fedora Core 1

10330 Misc. : Services only makes clear I am running a smtp deamon. Which is correct.

Ms. M: Your reply kind of looks like what I see.... The ports being scanned _tend_ to be "common" ports to scan for vulnerabilites.... I need to spend more time looking at the dumps but I get the impresssion they are using a port list to speed up the scan, (makes them look good, (quick scan), finds the huge holes, thus makes them money.... :cool:

My reply to you seems to link to the next to Moxnix and the fact that they found more on the last scan against my box that only had an FTP server added......

Moxnix: It seems to me that they _might be_ "throwing in" the odd "vulnerability..... That's a bad accusation to make and I'm not making it yet... I haven't had time to properly look at my own logs..... I'll do that.... But with Mittens response, yours, my new "results" and some questions that are yet unanswered I'm beginning to wonder.....

I'll be quiet for now and look properly at the information I have.....