[rohrpost] PUBLIC DOMAIN SCANNER
Florian Cramer
cantsin@zedat.fu-berlin.de
Tue, 7 May 2002 16:32:21 +0200
Am Tue, 07.May.2002 um 13:14:24 +0200x schrieb knowbotic.research:
>
>
> MINDS OF CONCERN::breaking news
> http://unitedwehack.ath.cx
>
> PUBLIC DOMAIN SCANNER
> http://unitedwehack.homeunix.net/minds3/
[...]
> In the project, we are using non-invasive SECURITY scanning tools, which
> systems administrators alike use in order to detect security holes on the
> Internet servers.
unitedwehack.ath.cx
All 1549 scanned ports on (209.73.19.97) are: UNfiltered
Interesting ports on (209.73.19.97):
(The 1542 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
443/tcp open https
901/tcp open samba-swat
3306/tcp open mysql
6000/tcp open X11
+ unitedwehack.ath.cx :
. List of open ports :
o general/tcp (Security warnings found)
o general/udp (Security notes found)
o unknown (32768/tcp) (Security warnings found)
o general/icmp (Security warnings found)
. Warning found on port general/tcp
Microsoft Windows 95 and 98 clients have the ability
to bind multiple TCP/IP stacks on the same MAC address,
simply by having the protocol addded more than once
in the Network Control panel.
The remote host has several TCP/IP stacks with the
same IP binded on the same MAC adress. As a result,
it will reply several times to the same packets,
such as by sending multiple ACK to a single SYN,
creating noise on your network. If several hosts
behave the same way, then your network will be brought
down.
Solution : remove all the IP stacks except one in the remote
host
Risk factor :
Medium
. Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor :
Low
. Information found on port general/udp
For your information, here is the traceroute to 209.73.19.97 :
160.45.155.1
130.133.98.2
188.1.33.33
188.1.20.5
188.1.18.110
134.222.130.229
134.222.231.5
134.222.230.17
134.222.230.6
134.222.229.238
134.222.229.234
205.171.30.145
205.171.230.22
205.171.30.86
205.171.62.2
206.252.135.2
209.73.19.65
209.73.19.97
. Warning found on port unknown (32768/tcp)
The fam RPC service is running.
Several versions of this service have
a well-known buffer oveflow condition
that allows intruders to execute
arbitrary commands as root on this system.
Solution : disable this service in /etc/inetd.conf
More information :
http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp
Risk factor : High
CVE : CVE-1999-0059
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Florian
--
http://userpage.fu-berlin.de/~cantsin/homepage/
http://www.complit.fu-berlin.de/institut/lehrpersonal/cramer.html
GnuPG/PGP public key ID 3200C7BA, finger cantsin@mail.zedat.fu-berlin.de