[rohrpost] PUBLIC DOMAIN SCANNER

Florian Cramer cantsin@zedat.fu-berlin.de
Tue, 7 May 2002 16:32:21 +0200


Am Tue, 07.May.2002 um 13:14:24 +0200x schrieb knowbotic.research:
> 
> 
> MINDS OF CONCERN::breaking news
> http://unitedwehack.ath.cx
> 
> PUBLIC DOMAIN SCANNER
> http://unitedwehack.homeunix.net/minds3/

[...]

> In the project, we are using non-invasive SECURITY scanning tools, which 
> systems administrators alike use in order to detect security holes on the 
> Internet servers.

unitedwehack.ath.cx

All 1549 scanned ports on  (209.73.19.97) are: UNfiltered

Interesting ports on  (209.73.19.97):
(The 1542 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
80/tcp     open        http
111/tcp    open        sunrpc
443/tcp    open        https
901/tcp    open        samba-swat
3306/tcp   open        mysql
6000/tcp   open        X11


+ unitedwehack.ath.cx :
 . List of open ports :
   o general/tcp (Security warnings found)
   o general/udp (Security notes found)
   o unknown (32768/tcp) (Security warnings found)
   o general/icmp (Security warnings found)

 . Warning found on port general/tcp


    
    Microsoft Windows 95 and 98 clients have the ability
    to bind multiple TCP/IP stacks on the same MAC address,
    simply by having the protocol addded more than once
    in the Network Control panel.
    
    The remote host has several TCP/IP stacks with the
    same IP binded on the same MAC adress. As a result,
    it will reply several times to the same packets,
    such as by sending multiple ACK to a single SYN,
    creating noise on your network. If several hosts
    behave the same way, then your network will be brought
    down.
    
    Solution : remove all the IP stacks except one in the remote
    host
    Risk factor :
     Medium


 . Warning found on port general/tcp


    
    The remote host uses non-random IP IDs, that is, it is
    possible to predict the next value of the ip_id field of
    the ip packets sent by this host.
    
    An attacker may use this feature to determine if the remote
    host sent a packet in reply to another request. This may be
    used for portscanning and other things.
    
    Solution : Contact your vendor for a patch
    Risk factor :
     Low


 . Information found on port general/udp


    For your information, here is the traceroute to 209.73.19.97 : 
    160.45.155.1
    130.133.98.2
    188.1.33.33
    188.1.20.5
    188.1.18.110
    134.222.130.229
    134.222.231.5
    134.222.230.17
    134.222.230.6
    134.222.229.238
    134.222.229.234
    205.171.30.145
    205.171.230.22
    205.171.30.86
    205.171.62.2
    206.252.135.2
    209.73.19.65
    209.73.19.97

 . Warning found on port unknown (32768/tcp)


    
    The fam RPC service is running. 
    Several versions of this service have
    a well-known buffer oveflow condition
    that allows intruders to execute
    arbitrary commands as root on this system.
    
    
    Solution : disable this service in /etc/inetd.conf
    More information :
     http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp
    Risk factor : High
    CVE : CVE-1999-0059

 . Warning found on port general/icmp


    
    The remote host answers to an ICMP timestamp
    request. This allows an attacker to know the
    date which is set on your machine. 
    
    This may help him to defeat all your 
    time based authentifications protocols.
    
    Solution : filter out the icmp timestamp
    requests (13), and the outgoing icmp 
    timestamp replies (14).
    
    Risk factor : Low
    CVE : CAN-1999-0524



Florian

-- 
http://userpage.fu-berlin.de/~cantsin/homepage/
http://www.complit.fu-berlin.de/institut/lehrpersonal/cramer.html
GnuPG/PGP public key ID 3200C7BA, finger cantsin@mail.zedat.fu-berlin.de