Network Vulnerability Assessment Report
21.11.2003
Sorted by host names

Session name: Chapter 5 2000Start Time:20.11.2003 16:17:43
Finish Time:20.11.2003 16:22:23
Elapsed:0 day(s) 00:04:40
Total records generated:66
high severity:7
low severity:44
informational:15


Scan configuration

Plugins used in this scan

IdName
107473Com Superstack II switch with default password
111874553 Parasite Mothership Detect
10669A1Stats
10351The ACC router shows configuration without authentication
11109Achievo code injection
11007ActiveState Perl directory traversal
10880AdMentor Login Flaw
10441AFS client version
10836Agora CGI Cross Site Scripting
10009AIX ftpd buffer overflow
10760Alcatel ADSL Modem with Firewalling off
10530Passwordless Alcatel ADSL Modem
11170Alcatel OmniSwitch 7700/7800 switches backdoor
11019Alcatel PABX 4400 detection
10818Alchemy Eye HTTP Command Execution
10011get32.exe
10010AliBaba path climbing
10012Alibaba 2.0 buffer overflow
10013alibaba.pl
10014tst.bat
11027AlienForm CGI script
10015AltaVista Intranet Search
11118alya.cgi
10462Amanda client version
10742Amanda Index Server version
10644anacondaclip
10536Anaconda remote file retrieval
10445AnalogX denial of service by long cgi name
10366AnalogX denial of service
10489Analogx Web server traversal
10016AN-HTTPd tests CGIs
10017Annex DoS
10277AnyForm
10753AOLserver Default Password
11137Apache < 1.3.27
10752Apache Auth Module SQL Insertion Attack
10938Apache Remote Command Execution via .bat files
11030Apache chunked encoding
10704Apache Directory Listing
10678Apache /server-info accessible
10677Apache /server-status accessible
10440Check for Apache Multiple / vulnerability
10480Apache::ASP source.asp
10918Apache-SSL overflow
11042Apache Tomcat DOS Device Name XSS
11041Apache Tomcat /servlet Cross Site Scripting
11046Apache Tomcat TroubleShooter Servlet Installed
10766Apache UserDir Sensitive Information Disclosure
11092Apache 2.0.39 Win32 directory traversal
11090AppSocket DoS
11105ARCserve hidden share
10018Knox Arkeia buffer overflow
10019Ascend Kill
10666AppleShare IP Server status query
10844ASP.NET Cross Site Scripting
10843ASP.NET path disclosure
10362ASP source using ::$DATA trick
10363ASP source using %2e trick
11071ASP source using %20 trick
10020+ + + ATH0 modem hangup
10638auktion.cgi
10021Identd enabled
10875Avenger's News System Command Execution
11096Avirt gateway insecure telnet proxy
11102Awol code injection
10022Axent Raptor's DoS
10502Axis Camera Default Password
10023Bypass Axis Storpoint CD authentication
10024BackOrifice
10872BadBlue Directory Traversal Vulnerability
11062BadBlue invalid GET DoS
11064BadBlue invalid null byte vulnerability
10601Basilix includes download
11072Basilix webmail dummy request vulnerability
10025bb-hist.sh
10460bb-hostsvc.sh
10507Sun's Java Web Server remote command execution
10949BEA WebLogic Scripts Server scripts Source Disclosure (2)
10715BEA WebLogic Scripts Server scripts Source Disclosure
11052BenHur Firewall active FTP firewall leak
10026BFTelnet DoS
10579bftpd chown overflow
10568bftpd format string vulnerability
10027bigconf
11051BIND9 DoS
10728Determine if Bind 9 is running
10605BIND vulnerable to overflows
10886BIND vulnerable to DNS storm
10329BIND iquery overflow
10539Useable remote name server
11152BIND vulnerable to cached RR overflow
10028Determine which version of BIND name daemon is running
10029BIND vulnerable
10549BIND vulnerable to ZXFR bug
10828SysV /bin/login buffer overflow (rlogin)
10827SysV /bin/login buffer overflow (telnet)
10383bizdb1-search.cgi located
10927BlackIce DoS (ping flood)
10030Bonk
10031bootparamd service
11082Boozt index.cgi overflow
10686BroadVision Physical Path Disclosure Vulnerability
10556Broker FTP files listing
11130BrowseGate HTTP headers overflows
11135Bugbear worm
10389Cart32 ChangeAdminPassword
10951cachefsd overflow
10034RedHat 6.0 cachemgr.cgi
10506calendar_admin.pl
10035Campas
11114Canna Overflow
10388Cassandra NNTP Server DoS
10032CA Unicenter's File Transfer Service is running
10033CA Unicenter's Transport Service is running
10724Cayman DSL router one char login
10036CDK Detect
10037CERN httpd problem
10797ColdFusion Debug Mode
10652cfingerd format string attack
10038Cfinger's search.**@host feature
10651cfinger's version
10039/cgi-bin directory browsable ?
10779CGIEmail's CGICso (Send CSO via CGI) Command Execution Vulnerability
10780CGIEmail's Cross Site Scripting Vulnerability (cgicso)
10552cgiforum
10040cgitest.exe buffer overrun
10041Cobalt RaQ2 cgiwrap
10042Chameleon SMTPd overflow
10043Chargen
10044Checkpoint FW-1 identification
10919Check open ports
11011Port 445 open when 139 is not
10561cisco 675 http DoS
10045Cisco 675 passwordless router
11014Cisco Aironet Telnet DoS
11012ATA-186 password circumvention / recovery
10545Cisco Catalyst Web Execution
10046Cisco DoS
10970GSR ACL pub
10971GSR ICMP unreachable
10700Cisco IOS HTTP Configuration Arbitrary Administrative Access
10387cisco http DoS
10754Cisco password not set
10972Multiple SSH vulnerabilities
10682CISCO view-source DoS
11013Cisco VoIP phones DoS
10942Check for a Citrix server
11138Citrix published applications
10047CMail's MAIL FROM overflow
11073readmsg.php detection
11190overflow.cgi detection
10793Cobalt Web Administration Server Detection
10713CodeRed version X detection
10581Cold Fusion Administration Page Overflow
10001ColdFusion Vulnerability
10612commerce.cgi
10048Communigate Pro overflow
10746Compaq WBEM Server Detection
10049Count.cgi
10675CheckPoint Firewall-1 Telnet Authentication Detection
10676CheckPoint Firewall-1 Web Authentication Detection
10815Web Server Cross Site Scripting
10973CSCdi34061
10974CSCdi36962
10975CSCdp35794
10976CSCds04747
10977CSCds07326
10978CSCds66191
10979CSCdt46181
10980CSCdt62732
10981CSCdt65960
10982CSCdt93866
10983CSCdu20643
10984CSCdu81936
10985CSCdv48261
10986CSCdw19195
10987CSCdw67458
11056CSCdy03429
10050CSM Mail server MTA 'HELO' denial
10924csSearch.cgi
10051A CVS pserver is running
10922CVS/Entries
10465CVSWeb 1.80 gives a shell to cvs committers
10402CVSWeb detection
10368Dansie Shopping Cart backdoor
10052Daytime
10871DB2 DOS
11182DB4Web directory traversal
11180DB4Web TCP relay
10403DBMan CGI server information leakage
10736DCE Services Enumeration
10583dcforum
10718DCShop exposes sensitive files
10961AirConnect Default Password
10962Cabletron Web View Administrative Access
10963Compaq Web Based Management Agent Proxy Vulnerability
11032Directory Scanner
10820F5 Device Default Support Password
10990FTP Service Allows Any Username
10991IIS Global.asa Retrieval
11003IIS Possible Compromise
10993IIS ASP.NET Application Trace Enabled
10994IPSwitch IMail SMTP Buffer Overflow
10995Sun JavaServer Default Admin Password
10996JRun Sample Files
10997JRun directory traversal
10998Shiva LanRover Blank Password
10999Linksys Router Default Password
11000MPEi/X Default Accounts
11001MRTG mrtg.cgi File Disclosure
10826Unprotected Netware Management Portal
10819PIX Firewall Manager Directory Traversal
10798Unprotected PC Anywhere Service
10778Unprotected SiteScope Service
11004WhatsUp Gold Default Admin Account
11098WS_FTP SITE CPWD Buffer Overflow
10053DeepThroat
10054Delegate overflow
10876Delta UPS Daemon Detection
10663DHCP server info gathering
11104Directory Manager's edit_image.php
11017directory.php
10679directory pro web traversal
10438Netwin's DMail ETRN overflow
10595DNS AXFR
10056/doc directory browsable ?
10518/doc/packages directory browsable ?
10953Authentication bypassing in Lotus Domino
10629Lotus Domino administration databases
10058Domino HTTP server exposes the set up of the filesystem
10059Domino HTTP Denial
10057Lotus Domino ?open Vulnerability
10450Dragon FTP overflow
10451Dragon telnet overflow
10833dtspcd overflow
10060Dumpenv
11075dwhttpd format string
10061Echo port open
11022eDonkey detection
10928EFTP buffer overflow
10933EFTP tells if a given file exists
10510EFTP carriage return DoS
11093EFTP installation directory disclosure
10062Eicon Diehl LAN ISDN modem DoS
10609empower cgi path
10063Eserv traversal
10775E-Shopping Cart Arbitrary Command Execution (WebDiscount)
10361SalesLogix Eviewer WebApp crash
10570Unify eWave ServletExec 3.0C file upload
10064Excite for WebServers
10002IIS possible DoS using ExAir's advsearch
10003IIS possible DoS using ExAir's query
10004IIS possible DoS using ExAir's search
10558Exchange Malformed MIME header
10755Microsoft Exchange Public Folders Information Leak
11100eXtremail format strings
10065EZShopper 3.0
10066FakeBO buffer overflow
11054fakeidentd overflow
10837FAQManager Arbitrary File Reading Vulnerability
10067Faxsurvey
10838FastCGI Echo.exe Cross Site Scripting
11026Access Point detection
10069Finger zero at host feature
11193akfingerd
10070Finger backdoor
10071Finger cgi
10072Finger dot at host feature
10534FreeBSD 4.1.1 Finger
10068Finger
10073Finger redirection check
10788Solaris finger disclosure
10074Firewall/1 UDP port 0 DoS
10075FormHandler.cgi
10076formmail.pl
10782Formmail Version Information Disclosure
10376htimage.exe overflow
10078Microsoft Frontpage 'authors' exploits
10497Microsoft Frontpage DoS
10369Microsoft Frontpage dvwssr.dll backdoor
10077Microsoft Frontpage exploits
10699IIS FrontPage DoS II
10405shtml.exe reveals full path
11160Windows Administrator NULL FTP password
10079Anonymous FTP enabled
10080Linux FTP backdoor
10081FTP bounce check
10082FTPd tells if a user exists
10083FTP CWD ~root
10091FTPGate traversal
10821FTPD glob Heap Corruption
10648ftp 'glob' overflow
10084ftp USER, PASS or HELP overflow
10085Ftp PASV denial of service
10086Ftp PASV on connect crashes the FTP server
10467ftp.pl shows the listing of any dir
10692ftpd strtok() stack overflow
10087FTP real path
10088Writeable FTP root
10092FTP Server type and version
10488FTP Serv-U 2.5e DoS
10089FTP ServU CWD overflow
10565Serv-U Directory traversal
10090FTP site exec
10653Solaris FTPd tells if a user exists
11112Generic FTP traversal
10929FTP Windows 98 MS/DOS device names DOS
11045Passwordless Zaurus FTP server
11115gallery code injection
10093GateCrasher
10420Gauntlet overflow
11037WEB-INF folder accessible
10094GirlFriend
10095glimpse
10408Insecure Napster clone
10946Gnutella servent detection
10690GoodTech ftpd DoS
10097GroupWise buffer overflow
10877GroupWise Web Interface 'HELP' hole
10873GroupWise Web Interface 'HTMLVER' hole
10098guestbook.cgi
10099guestbook.pl
10694GuildFTPD Directory Traversal
10471Guild FTPd tells if a given file exists
10100Handler
10731HealthD detection
10101Home Free search.cgi directory traversal
10102HotSync Manager Denial of Service attack
10103HP LaserJet display hack
10104HP LaserJet direct print
10490hpux ftpd PASS vulnerability
10606HSWeb document path
10602hsx directory traversal
10105htdig
10495htgrep
10106Htmlscript
10784ht://Dig's htsearch potential exposure/dos
10385ht://Dig's htsearch reveals web server path
10527Boa file retrieval
10484Read any file thanks to ~nobody/
10890HTTP NIDS evasion
10498Test HTTP dangerous methods
10763Detect the HTTP RPC endpoint mapper
11040HTTP TRACE
10582HTTP version spoken
10107HTTP Server type and version
10930HTTP Windows 98 MS/DOS device names DOS
10533Web Shopper remote file retrieval
10532eXtropia Web Store remote file retrieval
10108Hyperbomb
10109SCO i2odialogd buffer overrun
11083ibillpm.pl
10799IBM-HTTP-Server View Code
10112icat
10410ICEcap default password
11044ICECast FileSystem disclosure
10600ICECast Format String
10110iChat
10113icmp netmask request
10114icmp timestamp request
10347ICQ Denial of Service attack
10115idq.dll directory traversal
10889NIDS evasion
10661IIS 5 .printer ISAPI filter applied
10657NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability
10572IIS 5.0 Sample App vulnerable to cross-site scripting attack
10573IIS 5.0 Sample App reveals physical path of web root
10358/iisadmin is world readable
10492IIS IDA/IDQ Path Disclosure
10935IIS ASP ISAPI filter Overflow
10371/iisadmpwd/aexp2.htr
10577Check for bdir.htr files
10116IIS buffer overflow
10956Codebrws.asp Source Disclosure Vulnerability
10117IIS 'GET ../../'
10671IIS Remote Command Execution
10537IIS directory traversal
10406IIS Malformed Extension Data in URL
10575Check for IIS .cnf file leakage
10680Test Microsoft IIS Source Fragment Disclosure
10937IIS FrontPage ISAPI Denial of Service
10585IIS FrontPage DoS
10118IIS FTP server crash
10932IIS .HTR ISAPI filter applied
11028IIS .HTR overflow
10695IIS .IDA ISAPI filter applied
10685IIS ISAPI Overflow
10119NT IIS Malformed HTTP Request Header DoS Vulnerability
10759Content-Location HTTP Header
10120IIS perl.exe problem
10667IIS 5.0 PROPFIND Vulnerability
10631IIS propfind DoS
10372/scripts/repost.asp
10370IIS dangerous sample files
10121/scripts directory browsable
10576Check for dangerous IIS default files
10732IIS 5.0 WebDav Memory Leakage
10936IIS XSS via 404 error
11142IIS XSS via error
10941IPSEC IKE check
10122imagemap.exe
10496Imail Host: overflow
10123Imail's imap buffer overflow
10124Imail's imonitor buffer overflow
10625IMAP4rev1 buffer overflow after logon
10966IMAP4buffer overflow in the BODY command
10125Imap buffer overflow
10435Imate HELO overflow
10801IMP Session Hijacking Bug
10126in.fingerd pipe
10127info2www
10805Informix traversal
10128infosrch.cgi
10436INN version check (2)
10129INN version check
11128redhat Interchange
10353Interscan 3.32 SMTP Denial
10733InterScan VirusWall Remote Configuration Vulnerability
10111iParty
11068iPlanet chunked encoding
10130ipop2d buffer overflow
10589iPlanet Directory Server traversal
11043iPlanet Search Engine File Viewing
10683iPlanet Certificate Management Traversal
10469ipop2d reads arbitrary files
10455Buffer Overrun in ITHouse Mail Server v1.04
10538iWS shtml overflow
11047Jigsaw webserver MS/DOS device DoS
10131jj cgi
10604Allaire JRun Directory Listing
10814Allaire JRun directory browsing vulnerability
10444JRun's viewsource.jsp
10957JServ Cross Site Scripting
10925Oracle Jserv Executes outside of doc_root
10751Kazaa / Morpheus Client Detection
11166KF Web Server /%00 bug
10375Ken! DoS
10411klogind overflow
10640Kerberos PingPong attack
10132Kuang2 the Virus
10541KW whois
10796scan for LaBrea tarpitted hosts
11063LabView web server DoS
10133Land
10378LCDproc buffer overflow
10379LCDproc server detection
10722LDAP allows null bases
10723LDAP allows anonymous binds
10812libgtop_daemon format string
11122Libwhisker options
10135LinuxConf grants network access
10134Linux 2.1.89 - 2.2.3 : 0 length fragment bug
10646Lion worm
10769Checks for listrec.pl
11155LiteServe URL Decoding DoS
11005LocalWeb2000 remote read
10870Login configurations
10543Lotus Domino SMTP overflow
10419Lotus MAIL FROM overflow
10795Lotus Notes ?OpenServer Information Disclosure
11009Lotus Domino Banner Information Disclosure Vulnerability
11023lpd, dvips and remote command execution
10727Buffer overflow in Solaris in.lpd
10522LPRng malformed input
10566mmstdod.cgi
10641mailnews.cgi
10635Marconi ASX DoS
10562Master Index directory traversal vulnerability
10137MDaemon DoS
10136MDaemon crash
10138MDaemon Webconfig crash
10139MDaemon Worldclient crash
10422MDBMS overflow
10140MediaHouse Statistic Server Buffer Overflow
10748Mediahouse Statistics Web Server Detect
10620EXPN overflow
10382Atrium Mercur Mailserver
10346Mercur WebView WebClient
10141MetaInfo servers
10473MiniVend Piped command
10735Generic flood
11133Generic format string
10359ctss.idc check
11124mldonkey telnet
11125mldonkey www
10947mod_python handle abuse
11039mod_ssl off by one
10888mod_ssl overflow
10357RDS / MDAC Vulnerability (msadcs.dll) located
11161RDS / MDAC Vulnerability Content-Type overflow
10939MSDTC denial of service by flooding with nul bytes
10934MS FTPd DoS
10356Microsoft's Index server reveals ASP source code
10142MS Personal WebServer ...
10143MSQL CGI overflow
11159MS RPC Services null pointer reference DoS
11018MS Site Server Information Leak
10885MS SMTP DoS
10673Microsoft's SQL Blank Password
10862Microsoft's SQL Server Brute Force
11067Microsoft's SQL Hello Overflow
10674Microsoft's SQL UDP Info Query
10144Microsoft's SQL TCP/IP listener is running
10145Microsoft's SQL TCP/IP denial of service
10390mstream agent Detect
10391mstream handler Detect
10418Standard & Poors detection
10516multihtml cgi
10822Multiple WarFTPd DoS
10707McAfee myCIO detection
10706McAfee myCIO Directory Traversal
10343MySQLs accepts any password
10626MySQL various flaws
11192multiple MySQL flaws
10481Unpassworded MySQL
10719MySQL Server version
10424NAI Management Agent leaks info
10425NAI Management Agent overflow
10344Detect the presence of Napster
10761Detect CIS ports
10721ncbook/book.cgi
10665tektronix's _ncl_items.shtml
10146Tektronix /ncl_items.html
10988Netware NDS Object Enumeration
10739Novell Web Server NDS Tree Browsing
10147A Nessus Daemon is running
10148Nestea
10494Netauth
10149NetBeans Java IDE
10150Using NetBIOS to retrieve information from a Windows host
10152NetBus 2.x
10151NetBus 1.x
11020NetCommerce SQL injection
10154Netscape Enterprise 'Accept' buffer overflow
10468Netscape Administration Server admin password
10155Netscape Enterprise Server DoS
10689Netscape Enterprise '../' buffer overflow
10691Netscape Enterprise INDEX request problem
10156Netscape FastTrack 'get'
10580netscape imap buffer overflow after logon
10153Netscape Server ?PageServices bug
10681Netscape Messenging Server User List
10364netscape publishingXpert 2 PSUser problem
10352Netscape Server ?wp bug
10005NetSphere
10157netstat
11106NetTools command execution
11158Novell NetWare HTTP POST Perl Code Execution Vulnerability
10360newdsn.exe check
10586news desk
10767Tests for Nimda Worm infected HTML files
10251rpc.nisd overflow
10158NIS server
11033Misc information on News server
10159News Server type and version
10386No 404 check
10160Nortel Contivity DoS
10989Nortel/Bay Networks default password
10528Nortel Networks passwordless router (manager level)
10529Nortel Networks passwordless router (user level)
10162Notes MTA denial
10167NTMail3 spam feature
10163Novell Border Manager
10789Novell Groupwise WebAcc Information Disclosure
10164nph-publish.cgi
10165nph-test-cgi
10540NSM format strings vulnerability
10168Detect talkd server port and protocol version
10166Windows NT ftp 'guest' account
10884NTP read variables
10647ntpd overflow
11183HTTP negative Content-Length buffer overflow
10654Oracle Application Server Overflow
11074OfficeScan configuration file disclosure
10716OmniPro HTTPd 2.08 scripts source full disclosure
10578Oops buffer overflow
10169OpenLink web config buffer overflow
10608OpenSSH 2.3.1 authentication bypass vulnerability
10802OpenSSH < 3.0.1
11031OpenSSH <= 3.3
10771OpenSSH 2.5.x -> 2.9.x adv.option
10954OpenSSH AFS/Kerberos ticket/token passing
10883OpenSSH Channel Code Off by 1
10823OpenSSH UseLogin Environment Variables
10439OpenSSH < 2.1.1 UseLogin feature
11060OpenSSL overflow (generic test)
10848Oracle 9iAS Dynamic Monitoring Services
11076Oracle webcache admin interface
11081Oracle9iAS too long URL
10849Oracle 9iAS DAD Admin interface
10850Oracle 9iAS Globals.jsa access
10851Oracle 9iAS Java Process Manager
10852Oracle 9iAS Jsp Source File Reading
10853Oracle 9iAS mod_plsql cross site scripting
10840Oracle 9iAS mod_plsql Buffer Overflow
10854Oracle 9iAS mod_plsql directory traversal
10855Oracle XSQLServlet XSQLConfig.xml File
10808DoSable Oracle WebCache server
10737Oracle Applications One-Hour Install Detect
10660Oracle tnslsnr security
10658Oracle tnslsnr version query
10738Oracle Web Administration Server Detection
10594Oracle XSQL Stylesheet Vulnerability
10613Oracle XSQL Sample Application Vulnerability
10636Orange DoS
10170OShare
10773MacOS X Finder reveals contents of Apache Web files
10756MacOS X Finder reveals contents of Apache Web directories
10781Outlook Web anonymous access
10348ows-bin
10171Oracle Web Server denial of Service
10591pagelog.cgi
10611pals-cgi
10517pam_smb / pam_ntdom overflow
10345Passwordless Cayman DSL router
10172Passwordless HP LaserJet
10006PC Anywhere
10794PC Anywhere TCP
10783PCCS-Mysql User/Password Exposure
10511/perl directory browsable ?
10664perlcal
10173perl interpreter can be launched as a CGI
10811ActivePerl perlIS.dll Buffer Overflow
10174pfdispaly
10508PFTP login check
10442NAI PGP Cert Server DoS
11070PGPMail.pl detection
10175Detect presence of PGPNet server and its version
10176phf
10564IIS phonebook
10593phorum's common.cgi
10670PHP3 Physical Path Disclosure Vulnerability
11050php 4.2.x malformed POST
11008PHP4 Physical Path Disclosure Vulnerability
11101PHPAdsNew code injection
10839PHP.EXE / Apache Win32 Arbitrary File Reading Vulnerability
10513php file upload
10628php IMAP overflow
10574PHPix directory traversal vulnerability
10535php log
11116phpMyAdmin arbitrary files reading
10750phpMyExplorer dir traversal
10177php.cgi
10772PHP-Nuke copying files security vulnerability (admin.php)
10630PHP-Nuke security vulnerability (bb_smilies.php)
10810PHP-Nuke Gallery Add-on File View
10655PHP-Nuke' opendir
10856PHP-Nuke sql_debug Information Disclosure
10178php.cgi buffer overrun
11117phpPgAdmin arbitrary files reading
10831PHP Rocket Add-in File Traversal
10701php safemode
10867php POST file uploads
11099Pi3Web Webserver v2.0 Buffer Overflow
10618Pi3Web tstisap.dll overflow
10179pimp
10968ping.asp
10180Ping the remote host
10381Piranha's RH6.2 default password
10181PlusMail vulnerability
10182Livingston Portmaster crash
10183pnserver crash
10341Pocsag password
10459Poll It v2.0 cgi
10184Various pop3 overflows
11080poprelayd & sendmail authentication problem
10185POP3 Server type and version
10186Portal of Doom
10879Shell Command Execution Vulnerability
10483Unpassworded PostgreSQL
10187Cognos Powerplay WE Vulnerability
10776Power Up Information Disclosure
10622PPTP detection and versioning
10188printenv
10649processit
10634proftpd exhaustion attack
10189proftpd mkdir buffer overflow
10190ProFTPd buffer overflow
10464proftpd 1.2.0preN check
10191ProFTPd pre6 buffer overflow
10192Proxy accepts CONNECT requests
10193Usable remote proxy on any port
10194Proxy accepts POST requests
10195Usable remote proxy
11024p-smash DoS (ICMP 9 flood)
11085Personal Web Sharing overflow
11134QMTP
10948qpopper options buffer overflow
10423qpopper euidl problem
10197qpopper LIST buffer overflow
10196qpopper buffer overflow
10931Quake3 Arena 1.29 f/g DOS
10712quickstore traversal
10198Quote of the day
11123radmin detection
10199RealServer Ramgen crash (ramcrash)
10730Raptor FW version 6.5 detection
11057Raptor Weak ISN
10921RemotelyAnywhere SSH detection
10920RemotelyAnywhere WWW detection
10521Extent RBS ISP
10554RealServer Memory Content Disclosure
10200RealServer G2 buffer overrun
10461Check for RealServer DoS
10377RealServer denial of Service
10201Relative IP Identification number change
10202remwatch
11048Resin DOS device path disclosure
10656Resin traversal
10203rexecd
10392rfparalyze
10204rfpoison
11006RedHat 6.2 inetd
10874Rich Media E-Commerce Stores Sensitive Information Insecurely
10161rlogin -froot
10205rlogin
10627ROADS' search.pl
10421Rockliffe's MailSite overflow
10206Rover pop3 overflow
10207Roxen counter module
10479Roxen Server /%00/ bug
102083270 mapper service
10210alis service
10211amd service
10212automountd service
10213cmsd service
10214database service
10215etherstatd service
10216fam service
11111rpcinfo -p
10832Kcms Profile Server
10217keyserv service
10218llockmgr service
10219nfsd service
10220nlockmgr service
10221nsed service
10222nsemntd service
10223RPC portmapper
10224rexd service
10225rje mapper service
10226rquotad service
10227rstatd service
10228rusersd service
10229sadmin service
10230sched service
10231selection service
10232showfhd service
10233snmp service
10234sprayd service
10235statd service
10236statmon service
10237sunlink mapper service
10238tfsd service
10787tooltalk format string
10239tooltalk service
10240walld service
10209X25 service
10241ypbind service
10242yppasswd service
10243ypupdated service
10244ypxfrd service
10340rpm_query CGI
10245rsh
10096rsh with null username
10380rsh on finger output
10762RTSP Server type and version
11058rusersd output
10950rpc.walld format string
10804rwhois format string attack (2)
10790rwhois format string attack
10786Samba Remote Arbitrary File Creation
11113Samba Buffer Overflow
10246Sambar Web Server CGI scripts
11131Sambar web server DOS
10417Sambar /cgi-bin/mailit.pl installed ?
10711Sambar webserver pagecount hole
10514Directory listing through Sambar's search.dll
10415Sambar sendmail /session/sendmail
10416Sambar /sysadmin directory 2
11168Samba Unicode Buffer Overflow
10623Savant original form CGI access
11174HTTP negative Content-Length DoS
10633Savant DoS
10453sawmill allows the reading of the first line of any file
10454sawmill password
10720sdbsearch.cgi
10710Checkpoint SecuRemote information leakage
10617Checkpoint SecureRemote detection
10637Sedum DoS
10809Sendmail -bt option
11086Sendmail custom configuration file
11088Sendmail debug mode leak
10247Sendmail DEBUG
10248Sendmail 'decode' flaw
10249EXPN and VRFY commands
10278Sendmail 8.6.9 ident
10729Sendmail 8.11 local overflow
10055Sendmail 8.8.3 and 8.8.4 mime conversion overflow
10588Sendmail mime overflow
11087Sendmail queue manipulation & destruction
10250Sendmail redirection check
10614sendtemp.pl
10958ServletExec 4.1 ISAPI DoS
10959ServletExec 4.1 ISAPI File Reading
10960ServletExec 4.1 ISAPI Physical Path Disclosure
11021irix rpc.passwd overflow
10770sglMerchant Information Disclosure Vulnerability
10350Shaft Detect
10967Shambala web server DoS
10252Shells in /cgi-bin
10500Shiva Integrator Default Password
10764Shopping Cart Arbitrary Command Execution (Hassan)
10774ShopPlus Arbitrary Command Execution
10717SHOUTcast Server DoS detector vulnerability
10007ShowCode possible
10437NFS export
10847SilverStream database structure
10846SilverStream directory listing
11035AnalogX SimpleServer:WWW DoS
10705SimpleServer remote execution
10740SiteScope Web Managegment Server Detect
10741SiteScope Web Administration Server Detection
10253Cobalt siteUserMod cgi
10725SIX Webboard's generate.cgi
10255SLMail:27 denial of service
10256SLMail MTA 'HELO' denial
10254SLMail denial of service
10257SmartServer pop3 overflow
10396SMB shares access
10524SMB Windows9x password verification vulnerability
10414WinLogon.exe DoS
10398SMB get domain SID
10456SMB enum services
10395SMB shares enumeration
10901Users in the 'Account Operator' group
10902Users in the Admin group
10904Users in the 'Backup Operator' group
10908Users in the Domain Admin group
10905Users in the 'Print Operator' group
10906Users in the 'Replicator' group
10349sojourn.cgi
10907Guest belongs to a group
10903Users in the 'System Operator' group
10859SMB get host SID
10397SMB LanMan Pipe Server browse listing
10911Local users information : automatically disabled accounts
10912Local users information : Can't change password
10913Local users information : disabled accounts
10914Local users information : Never changed password
10915Local users information : User has never logged on
10916Local users information : Passwords never expires
10404SMB log in as users
10394SMB log in
10642SMB Registry : SQL7 Patches
10785SMB NativeLanMan
10893Obtains the lists of users aliases
10894Obtains the lists of users groups
10910Obtains local user information
10892Obtains user information
10433NT IP fragment reassembly patch not applied (jolt2)
10434NT ResetBrowser frame & HostAnnouncement flood patc
10482NetBIOS Name Server Protocol Spoofing patch
10486Relative Shell Path patch
10485Service Control Manager Named Pipe Impersonation patch
10499Local Security Policy Corruption
10504Still Image Service Privilege Escalation patch
10509Malformed RPC Packet patch
10519Telnet Client NTLM Authentication Vulnerability
10525LPC and LPC Ports Vulnerabilities patch
10632Webserver file request parsing
10555Domain account lockout vulnerability
10563Incomplete TCP/IP packet vulnerability
10603Winsock Mutex vulnerability
10693NTLMSSP Privilege Escalation
10615Malformed PPTP Packet Stream vulnerability
10619Malformed request to domain controller
10668Malformed request to index server
10734IrDA access violation patch
10806RPC Endpoint Mapper can Cause RPC Service to Fail
10861IE 5.01 5.5 6.0 Cumulative patch Q324929
10865Checks for MS HOTFIX for snmp buffer overruns
10866XML Core Services patch (Q318203)
10926IE VBScript Handling patch (Q318089)
10945Opening Group Policy Files (Q318089)
10944MUP overlong request kernel overflow Patch (Q311967)
10943Cumulative Patch for Internet Information Services (Q327696)
10964Windows Debugger flaw can Lead to Elevated Privileges (Q320206)
11143Exchange 2000 Exhaust CPU Resources (Q320436)
11029Windows RAS overflow (Q318138)
11091Windows Network Manager Privilege Elevation (Q326886)
11144Flaw in Certificate Enrollment Control (Q323172)
11145Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)
11146Microsoft RDP flaws could allow sniffing and DOS(Q324380)
11177Flaw in Microsoft VM JDBC Classes Could Allow Code Execution (Q329077)
11148Unchecked Buffer in Decompression Functions(Q329048)
11147Unchecked Buffer in Windows Help(Q323255)
11178Unchecked Buffer in PPTP Implementation Could Enable DOS Attacks (Q329834)
11191WM_TIMER Message Handler Privilege Elevation (Q328310)
11110SMB null param count DoS
10412SMB Registry : Autologon
10427SMB Registry : permissions of HKLM
10400SMB accessible registry
10428SMB fully accessible registry
10431SMB Registry : missing winreg
10413SMB Registry : is the remote host a PDC/BDC
10567SMB Registry : permissions of the RAS key
10430SMB Registry : permissions of keys that can lead to admin
10426SMB Registry : permissions of Schedule
10401SMB Registry : NT4 Service Pack version
10531SMB Registry : Win2k Service Pack version
11119SMB Registry : XP Service Pack version
10449SMB Registry : value of SFCDisable
10432SMB Registry : permissions of keys that can change common paths
10429SMB Registry : permissions of winlogon
10553SMB Registry : permissions of WinVNC's key
10917SMB Scope
10860SMB use host SID to enumerate local users
10399SMB use domain SID to enumerate users
10457The alerter service is running
10458The messenger service is running
10895Users information : automatically disabled accounts
10896Users information : Can't change password
10897Users information : disabled accounts
10898Users information : Never changed password
10899Users information : User has never logged on
10900Users information : Passwords never expires
10835Unchecked Buffer in XP upnp
11141Crash SMC AP
11034SMTP antivirus filter
11036SMTP antivirus scanner DoS
10258Sendmail's from piped program
10520PIX's smtp content filtering
10259Sendmail mailing to files
10260HELO overflow
10703SMTP Authentication Error
11053IMC SMTP EHLO Buffer Overrun
10261Sendmail mailing to programs
10262Mail relaying
10263SMTP Server type and version
11038SMTP settings
11079Snapstream PVS web directory traversal
10969Obtain Cisco type via SNMP
10264Default community names of the SNMP Agent
10265An SNMP Agent is running
10266UDP null size going to SNMP DoS
10551Obtain network interfaces list via SNMP
10547Enumerate Lanman services via SNMP
10548Enumerate Lanman shares via SNMP
10546Enumerate Lanman users via SNMP
10857SNMP bad length field DoS
10858SNMP bad length field DoS (2)
10550Obtain processes list via SNMP
10800Obtain OS type via SNMP
10688SNMP VACM
10659snmpXdmid overflow
11126SOCKS4A hostname overflow
11164SOCKS4 username overflow
10393spin_client.cgi buffer overrun
11139wpoison (nasl version)
10765SQLQHit Directory Structure Disclosure
10768DoSable squid proxy server
10923Squid overflows
11066SunSolve CD CGI user input validation
10882SSH protocol version 1 enabled
10708SSH 3.0.0
10965SSH 3 AllowedAuthentication
10607SSH1 CRC-32 compensation attack
10267SSH Server type and version
10268SSH Insertion Attack
10472SSH Kerberos issue
10269SSH Overflow
10881SSH protocol versions supported
11169SSH setsid() vulnerability
10270Stacheldraht Detect
10544format string attack against statd
10639store.cgi
10817Interactive Story Directory Traversal Vulnerability
10271stream.c
10803Redhat Stronghold File System Disclosure
10409SubSeven
10878Sun Cobalt Adaptive Firewall Detection
10272SunKill
10503Reading CGI script sources using /cgi-bin-sdb
10560SuSE's identd overflow
10273Detect SWAT server port
10590SWAT allows user names to be obtained by brute force
10493SWC Overflow
11171SWS unfinished line DoS
10274SyGate Backdoor
10275Systat
10276TCP Chorusing
10279Teardrop
10584technote's main.cgi
10280Telnet
10281Detect Server type and version via Telnet
10474GAMSoft TelSrv 1.4/1.5 Overflow
10709TESO in.telnetd buffer overflow
10282test-cgi
10283TFN Detect
10284TFS SMTP 3.2 MAIL FROM overflow
10285thttpd 2.04 buffer overflow
10286thttpd flaw
10523thttpd ssi file retrieval
10596Tinyproxy heap overflow
11059Trend Micro OfficeScan Denial of service
10477Tomcat's /admin is world readable
11150Tomcat servlet engine MD/DOS device names denial of service
10807Jakarta Tomcat Path Disclosure
10478Tomcat's snoop servlet gives too much information
11176Tomcat 4.x JSP Source Exposure
10672Unknown CGIs arguments torture
10287Traceroute
10491ASP/ASA source using Microsoft Translate f: bug
10501Trinity v3 Detect
10288Trin00 Detect
10743Tripwire for Webpages Detection
10696ttawebtop
11136/bin/login overflow exploitation
11097TypSoft FTP STOR/RETR DoS
11140UDDI detection
10791Ultraseek Web Server Detect
10542UltraSeek 3.1.x Remote DoS
10289Microsoft Media Server 4.1 - DoS
10290Upload cgi
10291uploader.exe
10829scan for UPNP hosts
10645ustorekeeper
10292uw-imap buffer overflow
10374uw-imap buffer overflow after logon
11179vBulletin's Calender Command Execution Vulnerability
10293vftpd buffer overflow
10294view_source
11107viralator
10295OmniHTTPd visadmin exploit
10744VisualRoute Web Server Detection
10758Check for VNC HTTP
10342Check for VNC
11165vpasswd.cgi
10463vpopmail input validation bug
10354vqServer administrative port
10355vqServer web traversal vulnerability
10650VirusWall's catinfo overflow
11184vxworks ftpd buffer overflow Denial of Service
11185vxworks ftpd buffer overflow
10296w3-msql overflow
10610way-board
10470WebActive world readable log file
10816Webalizer Cross Site Scripting Vulnerability
11095webcart.cgi
10298Webcart misconfiguration
10526IIS : Directory listing through WebDAV
10505Directory listing through WebDAV
10299webdist.cgi
10592webdriver
10475Buffer overflow in WebSitePro webfind.exe
10300webgais
10697WebLogic Server DoS
10698WebLogic Server /%00/ bug
10757Check for Webmin
10662Web mirroring
10367TalentSoft Web+ Input Validation Bug Vulnerability
10373TalentSoft Web+ version detection
11089Webseal denial of service
10301websendmail
11151Webserver 4D Cleartext Passwords
10302robot(s).txt exists on the Web Server
10557WebShield
10008WebSite 1.0 buffer overflow
10303WebSite pro reveals the physical file path of web directories
10476WebsitePro buffer overflow
10304WebSpeed remote configuration
11181WebSphere Host header overflow
11010WebSphere Cross Site Scripting
10616webspirs.cgi
10297Web server traversal
10487WFTP 2.41 rc11 multiple DoS
10466WFTP RNTO DoS
10305WFTP login check
10306whois_raw
10365Windmail.exe allows any user to execute arbitrary commands
10940Windows Terminal Service Enabled
10310Wingate denial of service
10309Passwordless Wingate installed
10311Wingate POP3 USER overflow
10312WindowsNT DNS flood denial
10313WindowsNT PPTP flood denial
10314Winnuke
10316WinSATAN
10315WINS UDP flood denial
10307Trin00 for Windows Detect
11108Omron WorldView Wnn Overflow
10745WorldClient for MDaemon Server Detection
11049Worldspan gateway DOS
10317wrap
11167Webserver4everyone too long URL
11094WS FTP overflows
10318wu-ftpd buffer overflow
10452wu-ftpd SITE EXEC vulnerability
10319wu-ftpd SITE NEWER vulnerability
10321wwwboard passwd.txt
11084Infinite HTTP request
10515Too long authorization
11077HTTP Cookie overflow
11127HTTP 1.0 header overflow
11129HTTP 1.1 header overflow
11078HTTP header overflow
11065HTTP method overflow
10687Too long POST command
10320Too long URL
11069HTTP User-Agent overflow
11061HTTP version number overflow
10597wwwwais
10891X Display Manager Control Protocol (XDMCP)
11015Xerver web server DOS
11188X Font Service Buffer Overflow
10322Xitami Web Server buffer overflow
10559XMail APOP Overflow
10407X Server
11121xtel detection
11120xtelw detection
10323XTramail control denial
10324XTramil MTA 'HELO' denial
10325Xtramail pop3 overflow
10512YaBB
11016xtux server detection
10326Yahoo Messenger Denial of Service attack
10684yppasswdd overflow
10327Zeus shows the content of the cgi scripts
10830zml.cgi Directory Traversal
10702Zope DoS
10569Zope Image updating Method
10447Zope DocumentTemplate package problem
10777Zope ZClass permission mapping bug
10714Default password router Zyxel
10328Default accounts
10330Services
10331FTP bounce scan
10332ftp writeable directories
10909Brute force login (Hydra)
10333Linux TFTP get file
10335tcp connect() scan
10336Nmap
10384IRIX Objectserver
10337QueSO
10338smad
10863SSL ciphers
10339TFTP get file

Preferences settings for this scan

max_hosts 16
max_checks 10
log_whole_attack yes
report_killed_plugins yes
cgi_path /cgi-bin
port_range 1-1024
optimize_test yes
language english
per_user_base /usr/local/var/nessus/users
checks_read_timeout 5
delay_between_tests 1
non_simult_ports 139, 445
plugins_timeout 320
safe_checks yes
auto_enable_dependencies yes
use_mac_addr no
save_knowledge_base no
kb_restore no
only_test_hosts_whose_kb_we_dont_have no
only_test_hosts_whose_kb_we_have no
kb_dont_replay_scanners no
kb_dont_replay_info_gathering no
kb_dont_replay_attacks no
kb_dont_replay_denials no
kb_max_age 864000
plugin_upload no
plugin_upload_suffixes .nasl
admin_user root
ntp_save_sessions yes
ntp_detached_sessions yes
server_info_nessusd_version 1.2.7
server_info_libnasl_version 1.2.7
server_info_libnessus_version 1.2.7
server_info_thread_manager fork
server_info_os Linux
server_info_os_version 2.4.18-3
reverse_lookup no
ntp_keep_communication_alive yes
ntp_opt_show_end yes
save_session no
detached_scan no
continuous_scan no


Summary of scanned hosts

HostHolesWarningsOpen portsState
10.1.1.10874415Finished


10.1.1.108

ServiceSeverityDescription
netbios-ns (137/udp)
Info
Port is open
unknown (135/tcp)
Info
Port is open
netbios-ssn (139/tcp)
Info
Port is open
https (443/tcp)
Info
Port is open
microsoft-ds (445/tcp)
Info
Port is open
unknown (1029/tcp)
Info
Port is open
general/tcp
Info
Port is open
unknown (1028/udp)
Info
Port is open
general/icmp
Info
Port is open
general/udp
Info
Port is open
unknown (1026/tcp)
Info
Port is open
ms-sql-s (1433/tcp)
Info
Port is open
ms-sql-m (1434/udp)
Info
Port is open
unknown (1025/tcp)
Info
Port is open
http (80/tcp)
Info
Port is open
netbios-ssn (139/tcp)
High

. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

. All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CVE-2000-0222
http (80/tcp)
High

The IIS server appears to have the .SHTML ISAPI filter mapped.

At least one remote vulnerability has been discovered for the
.SHTML filter. This is detailed in Microsoft Advisory MS02-018
and results in a denial of service access to the web server.

It is recommended that even if you have patched this vulnerability that
you unmap the .SHTML extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.

An attacker may use this flaw to prevent the remote service
from working properly.

*** Nessus reports this vulnerability using only
*** information that was gatherered. Use caution
*** when testing without safe checks enabled

Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
and/or unmap the shtml/shtm isapi filters.

To unmap the .shtml extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .shtml/shtm and sht from the list.

Risk factor : Medium
CVE : CAN-2002-0072
ms-sql-s (1433/tcp)
High

The remote MS SQL server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM, as well as read your database content.

Solution : Install Microsoft Patch Q316333 at
http://support.microsoft.com/default.aspx?scid=kb
en-us
Q316333&sd=tech
or disable the Microsoft SQL Server service or use a firewall to protect the
MS SQL port (1433).

CVE : CAN-2002-1123

Risk factor : High
CVE : CAN-2002-1123
http (80/tcp)
High

The IIS server appears to have the .HTR ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that even if you have patched this vulnerability that
you unmap the .HTR extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.

Risk factor : High
http (80/tcp)
High

There's a buffer overflow in the remote web server through
the ISAPI filter.

It is possible to overflow the remote web server and execute
commands as user SYSTEM.

Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
Risk factor : High
CVE : CVE-2001-0500
http (80/tcp)
High

The remote IIS server allows anyone to execute arbitrary commands
by adding a unicode representation for the slash character
in the requested path.

Solution: See http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
Risk factor : High
CVE : CVE-2000-0884
http (80/tcp)
High


When IIS receives a user request to run a script, it renders
the request in a decoded canonical form, then performs
security checks on the decoded request. A vulnerability
results because a second, superfluous decoding pass is
performed after the initial security checks are completed.
Thus, a specially crafted request could allow an attacker to
execute arbitrary commands on the IIS Server.

Solution: See MS advisory MS01-026(Superseded by ms01-044)
See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp

Risk factor : High
CVE : CVE-2001-0333
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC000001e0.00000001]
http (80/tcp)
Low

The remote web server appears to be running with
Frontpage extensions.

You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.

Risk factor : High if your configuration file is
not well set up
CVE : CAN-2000-0114
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_np:\\ltree108[\PIPE\INETINFO]
http (80/tcp)
Low

IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommend
you disable it if you do not use this functionality.

Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .printer from the list.

Risk factor : Low
general/icmp
Low

The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentication protocols.

Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
http (80/tcp)
Low

The IIS server appears to have the .IDA ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server.

It is recommended that even if you have patched this vulnerability that
you unmap the .IDA extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .ida from the list.

Risk factor : Medium
CVE : CAN-2002-0071
netbios-ssn (139/tcp)
Low
The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : WORKGROUP
http (80/tcp)
Low
The address in Content-Location is: 10.1.1.108
CVE : CAN-2000-0649
http (80/tcp)
Low

IIS 4.0 allows a remote attacker to obtain the real pathname
of the document root by requesting non-existent files with
.ida or .idq extensions.

An attacker may use this flaw to gain more information about
the remote host, and hence make more focused attacks.

Solution: Select 'Preferences ->Home directory ->Application',
and check the checkbox 'Check if file exists' for the ISAPI
mappings of your server.

Risk factor : Low
CVE : CAN-2000-0071
http (80/tcp)
Low

This IIS Server appears to be vulnerable to a Cross
Site Scripting due to an error in the handling of overlong requests on
an idc file. It is possible to inject Javascript
in the URL, that will appear in the resulting page.

Risk factor : Medium

See also : http://online.securityfocus.com/bid/5900
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq&F=P&S=&P=1391
http (80/tcp)
Low

Asking the main page, a Content-Location header was added to the response.
By default, in Internet Information Server (IIS) 4.0,
the Content-Location references the IP address of the server
rather than the Fully Qualified Domain Name (FQDN) or Hostname.

This header may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.

Solution: See http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP

Risk factor : Low
CVE : CAN-2000-0649
http (80/tcp)
Low
The remote web server type is :

Microsoft-IIS/5.0


Solution : You can use urlscan to change reported server for IIS.
netbios-ssn (139/tcp)
Low
The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1020
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- IUSR_VM2KSERVER (id 1001)
- IWAM_VM2KSERVER (id 1002)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
ms-sql-m (1434/udp)
Low
Here is the reply to a MS SQL 'ping' request :
uServerName
ltree108
InstanceName
MSSQLSERVER
IsClustered
No
Version
8.00.194
tcp
1433
np
\ltree108ipe\sqluery

netbios-ssn (139/tcp)
Low
The host SID can be obtained remotely. Its value is :

ltree108 : 5-21-448539723-1708537768-1202660629

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
ms-sql-s (1433/tcp)
Low
It is possible that Microsoft's SQL Server is installed on the remote computer.
CVE : CAN-1999-0652
netbios-ssn (139/tcp)
Low
The domain SID can be obtained remotely. Its value is :

WORKGROUP : 48-0-0-0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
general/tcp
Low

The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.

Solution : Contact your vendor for a patch
Risk factor : Low
http (80/tcp)
Low
The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Risk factor : Medium

Solutions:

Allaire/Macromedia Jrun:
http://www.macromedia.com/software/jrun/download/update/
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
Microsoft IIS:
http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
Apache:
http://httpd.apache.org/info/css-security/
ColdFusion:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
General:
http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
http://www.cert.org/advisories/CA-2000-02.html
netbios-ssn (139/tcp)
Low
The following local accounts have never changed their password :

Administrator
TsInternetUser
IUSR_VM2KSERVER
IWAM_VM2KSERVER


To minimize the risk of break-in, users should
change their password regularly
netbios-ssn (139/tcp)
Low
The following local accounts have never logged in :

Guest
TsInternetUser


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
netbios-ssn (139/tcp)
Low
The following local accounts have passwords which never expire :

Administrator
Guest
TsInternetUser
IUSR_VM2KSERVER
IWAM_VM2KSERVER


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncalrpc[LRPC000002d8.00000001]
unknown (1026/tcp)
Low
A DCE service is listening on this port
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.1.1.108[1026]
https (443/tcp)
Low
An unknown service is running on this port.
It is usually reserved for HTTPS
netbios-ssn (139/tcp)
Low
Here is the browse list of the remote host :

INSTRUCTOR -
LTREE1 -
LTREE10 -
LTREE101 -
LTREE102 -
LTREE103 -
LTREE104 -
LTREE105 -
LTREE106 -
LTREE107 -
LTREE108 -
LTREE109 -
LTREE11 -
LTREE110 -
LTREE111 -
LTREE112 -
LTREE12 -
LTREE125 -
LTREE13 -
LTREE15 -
LTREE2 -
LTREE3 -
LTREE4 -
LTREE5 -
LTREE6 -
LTREE7 -
LTREE8 -
LTREE9 -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncalrpc[LRPC000002d8.00000001]
general/udp
Low
For your information, here is the traceroute to 10.1.1.108 :
10.1.1.108
http (80/tcp)
Low
A web server is running on this port
unknown (1026/tcp)
Low
A DCE service is listening on this port
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.1.1.108[1026]
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[ntsvcs]
Annotation: Messenger Service
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\ltree108[\PIPE\ntsvcs]
Annotation: Messenger Service
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\ltree108[\PIPE\scerpc]
Annotation: Messenger Service
unknown (1028/udp)
Low
A DCE service is listening on this port
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:10.1.1.108[1028]
Annotation: Messenger Service
netbios-ns (137/udp)
Low
. The following 7 NetBIOS names have been gathered :
LTREE108 = This is the computer name registered for workstation services by a WINS client.
LTREE108
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
LTREE108 = Computer name that is registered for the messenger service on a computer that is a WINS client.
INet~Services = Workgroup / Domain name (Domain Controller)
IS~ltree108 = This is the computer name registered for workstation services by a WINS client.
. The remote host has the following MAC address on its adapter :
0x00 0x50 0x56 0x40 0x42 0x3f

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncalrpc[OLE4]
unknown (135/tcp)
Low
A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncalrpc[INETINFO_LPC]
unknown (1029/tcp)
Low
A DCE service is listening on this port
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:10.1.1.108[1029]
general/tcp
Low
Nmap found that this host is running Windows Millennium Edition (Me), Win 2000, or WinXP
unknown (135/tcp)
Low

DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
http (80/tcp)
Low
The following directories were discovered:
/_vti_bin, /images
The following directories require authentication:
/printers
netbios-ssn (139/tcp)
Low
The following local accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
http (80/tcp)
Low
This IIS Server appears to vulnerable to one of the cross site scripting
attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to
top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary script into the
page for execution.

The presence of this vulnerability also indicates that you are vulnerable to the other issues identified in MS02-018 (various remote buffer overflow and cross site scripting attacks...)

References:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
http://jscript.dk/adv/TL001/

Risk factor : Medium
CVE : CAN-2002-0074
unknown (1025/tcp)
Low
A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.1.1.108[1025]