| Security Issues and Fixes: charlemagne.dyndns.org |
| Type |
Port |
Issue and Fix |
| Warning |
daytime (13/tcp) |
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
|
| Warning |
ftp (21/tcp) |
This FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.
Risk factor : Low
CVE : CAN-1999-0497
|
| Informational |
ftp (21/tcp) |
An unknown service is running on this port.
It is usually reserved for FTP |
| Informational |
ftp (21/tcp) |
Remote FTP server banner :
220- Bonjour
220-
220- En cas de problemes, le signaler au Lyc e ou
220- par un message root@charlemagne.dyndns.org
220-
220- Rappel: mettre "-" en premier caract re du mot de passe peut r soudre
220- certains probl mes de Login.
220-
220- Les fichiers en lecture sont sous /pub (tous les fichiers ne sont pas
220- lisibles pour des raisons diverses, ainsi maple4 ne l'est pas. Pour
220- ces fichiers, envoyer une demande root@charlemagne.dyndns.org)
220- Les fichiers d poser doivent l' tre sous /pub/incoming
220-
220- Ajouts le 26 Fevrier 2001: antivirus, aspirateur Web, clone Winzip
220- Ajouts le 22 Mars 2001: Necessaires pour compression a la volee
220- Ajouts le 1 Avril 2001: Ghostscript et Ghostview pour Windows
220- Modifications Avril 2001: Refonte du serveur pour securisation. Impossibilite
220- de creer un repertoire.
220- Ajouts en Mai 2001: Forwarding de ports
220- Ajout 15 Mai 2001: Doc Perl en Francais
220- Ajout 2002: Nouvelles versions, divers paquets Woody recompil s pour Potato
220- Ajout Septembre 2002: Open Office 1.01 et StarOffice 5.2
220 stargate.rebelles FTP server (Serveur FTP, lycee Charlemagne) ready.
|
| Warning |
telnet (23/tcp) |
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
|
| Informational |
telnet (23/tcp) |
A telnet server seems to be running on this port |
| Informational |
telnet (23/tcp) |
Remote telnet banner :
(charlemagne.dyndns.org) Lycee Charlemagne
15:32 on Tuesday, 21 January 2003
stargate login: |
| Informational |
smtp (25/tcp) |
An SMTP server is running on this port
Here is its banner :
220 yoda.rebelles ESMTP Exim 3.12 #1 Tue, 21 Jan 2003 15:20:15 +0100
|
| Informational |
smtp (25/tcp) |
Remote SMTP server banner :
220 yoda.rebelles ESMTP Exim 3.12 #1 Tue, 21 Jan 2003 15:20:51 +0100
|
| Informational |
smtp (25/tcp) |
For some reason, we could not send the EICAR test string to this MTA |
| Informational |
time (37/tcp) |
A time server seems to be running on this port |
| Warning |
finger (79/tcp) |
The 'finger' service provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...
Risk factor : Low
Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
|
| Informational |
finger (79/tcp) |
A finger server seems to be running on this port |
| Vulnerability |
www (80/tcp) |
A version of php which is older than 4.0.4
is running on this host.
There is a buffer overflow condition in the IMAP
module of this version which may allow an attacker
to execute arbitrary commands with the uid of the web
server, if this server is serving a webmail interface.
Solution : Upgrade to PHP 4.0.4
Reference : http://online.securityfocus.com/archive/1/166602
Risk factor : High |
| Vulnerability |
www (80/tcp) |
The remote host appears to be vulnerable to the Apache
Web Server Chunk Handling Vulnerability.
If Safe Checks are enabled, this may be a false positive
since it is based on the version of Apache. Although
unpatched Apache versions 1.2.2 and above, 1.3 through
1.3.24 and 2.0 through 2.0.36, the remote server may
be running a patched version of Apache
*** Note : as safe checks are enabled, Nessus solely relied on the banner to issue this alert
Solution : Upgrade to version 1.3.26 or 2.0.39 or newer
See also : http://httpd.apache.org/info/security_bulletin_20020617.txt
http://httpd.apache.org/info/security_bulletin_20020620.txt
Risk factor : High
CVE : CAN-2002-0392
|
| Vulnerability |
www (80/tcp) |
The remote host is running a version of PHP earlier
than 4.1.2.
There are several flaws in how PHP handles
multipart/form-data POST requests, any one of which can
allow an attacker to gain remote access to the system.
Solution : Upgrade to PHP 4.1.2
Risk factor : High
CVE : CVE-2002-0081
|
| Warning |
www (80/tcp) |
The remote host appears to be running a version of
Apache which is older than 1.3.27
There are several flaws in this version, you should
upgrade to 1.3.27 or newer.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
Solution : Upgrade to version 1.3.27
See also : http://www.apache.org/dist/httpd/Announcement.html
Risk factor : Medium
CVE : CAN-2002-0840
|
| Warning |
www (80/tcp) |
The server seems to accept UDDI queries. This could indicate
that the server is offering web services |
| Informational |
www (80/tcp) |
A web server is running on this port |
| Informational |
www (80/tcp) |
The remote web server type is :
Apache/1.3.9 (Unix) Debian/GNU PHP/4.0.3pl1
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers. |
| Informational |
www (80/tcp) |
An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.
Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low
CVE : CAN-2001-1013
|
| Informational |
pop3 (110/tcp) |
A pop3 server is running on this port |
| Informational |
pop3 (110/tcp) |
The remote POP server banner is :
+OK POP3 yoda.rebelles v7.64 server ready
|
| Informational |
sunrpc (111/tcp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port |
| Vulnerability |
general/tcp |
You are using Nessus 1.0, which is deprecated.
In March 2003, the Nessus team will definitely stop
updating plugins for this version, which means that
it will not be accurate at all and will die.
Note that the Nessus team plans to continue to add
new scripts until March 2003, but they will not be
tested on Nessus 1.0. Although they should work,
we do not garantee it.
Please upgrade to Nessus 1.2, available at http://www.nessus.org/
You are also encouraged to test the new experimental Nessus 1.3.0
if you want to use something fancy.
Finally, if you do not know what Nessus is, then odds are that
your are being sold its results by an unscrupulous third-party
company. Feel free to contact deraison@nessus.org if you want
any clarification. |
| Warning |
general/tcp |
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low |
| Informational |
general/tcp |
Nmap found that this host is running Linux 2.0.34-38
|
| Warning |
general/icmp |
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
|
| Informational |
general/udp |
For your information, here is the traceroute to 217.128.208.195 :
80.14.116.1
80.10.179.1
193.252.99.2
193.252.161.74
193.252.161.62
193.252.161.1
193.252.159.25
217.128.208.195
|
| Warning |
ntp (123/udp) |
An NTP server is running on the remote host. Make sure that
you are running the latest version of your NTP server,
has some versions have been found out to be vulnerable to
buffer overflows.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
If you happen to be vulnerable : upgrade
Solution : Upgrade
Risk factor : High
CVE : CVE-2001-0414
|
| Informational |
ntp (123/udp) |
It is possible to determine a lot of information about the remote host
by querying the NTP variables - these include OS descriptor, and
time settings.
Theoretically one could work out the NTP peer relationships and track back
network settings from this.
Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore
Risk factor : Low |
| Informational |
sunrpc (111/udp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port |