Network Vulnerability Assessment Report	21.11.2003
Sorted by host names

Session name: Chapter 5 2000 Start Time: 20.11.2003 16:17:43 Finish Time: 20.11.2003 16:22:23 Elapsed: 0 day(s) 00:04:40

Total records generated: 66 high severity: 7 low severity: 44 informational: 15

Scan configuration

Plugins used in this scan

Id	Name
10747	3Com Superstack II switch with default password
11187	4553 Parasite Mothership Detect
10669	A1Stats
10351	The ACC router shows configuration without authentication
11109	Achievo code injection
11007	ActiveState Perl directory traversal
10880	AdMentor Login Flaw
10441	AFS client version
10836	Agora CGI Cross Site Scripting
10009	AIX ftpd buffer overflow
10760	Alcatel ADSL Modem with Firewalling off
10530	Passwordless Alcatel ADSL Modem
11170	Alcatel OmniSwitch 7700/7800 switches backdoor
11019	Alcatel PABX 4400 detection
10818	Alchemy Eye HTTP Command Execution
10011	get32.exe
10010	AliBaba path climbing
10012	Alibaba 2.0 buffer overflow
10013	alibaba.pl
10014	tst.bat
11027	AlienForm CGI script
10015	AltaVista Intranet Search
11118	alya.cgi
10462	Amanda client version
10742	Amanda Index Server version
10644	anacondaclip
10536	Anaconda remote file retrieval
10445	AnalogX denial of service by long cgi name
10366	AnalogX denial of service
10489	Analogx Web server traversal
10016	AN-HTTPd tests CGIs
10017	Annex DoS
10277	AnyForm
10753	AOLserver Default Password
11137	Apache < 1.3.27
10752	Apache Auth Module SQL Insertion Attack
10938	Apache Remote Command Execution via .bat files
11030	Apache chunked encoding
10704	Apache Directory Listing
10678	Apache /server-info accessible
10677	Apache /server-status accessible
10440	Check for Apache Multiple / vulnerability
10480	Apache::ASP source.asp
10918	Apache-SSL overflow
11042	Apache Tomcat DOS Device Name XSS
11041	Apache Tomcat /servlet Cross Site Scripting
11046	Apache Tomcat TroubleShooter Servlet Installed
10766	Apache UserDir Sensitive Information Disclosure
11092	Apache 2.0.39 Win32 directory traversal
11090	AppSocket DoS
11105	ARCserve hidden share
10018	Knox Arkeia buffer overflow
10019	Ascend Kill
10666	AppleShare IP Server status query
10844	ASP.NET Cross Site Scripting
10843	ASP.NET path disclosure
10362	ASP source using ::$DATA trick
10363	ASP source using %2e trick
11071	ASP source using %20 trick
10020	+ + + ATH0 modem hangup
10638	auktion.cgi
10021	Identd enabled
10875	Avenger's News System Command Execution
11096	Avirt gateway insecure telnet proxy
11102	Awol code injection
10022	Axent Raptor's DoS
10502	Axis Camera Default Password
10023	Bypass Axis Storpoint CD authentication
10024	BackOrifice
10872	BadBlue Directory Traversal Vulnerability
11062	BadBlue invalid GET DoS
11064	BadBlue invalid null byte vulnerability
10601	Basilix includes download
11072	Basilix webmail dummy request vulnerability
10025	bb-hist.sh
10460	bb-hostsvc.sh
10507	Sun's Java Web Server remote command execution
10949	BEA WebLogic Scripts Server scripts Source Disclosure (2)
10715	BEA WebLogic Scripts Server scripts Source Disclosure
11052	BenHur Firewall active FTP firewall leak
10026	BFTelnet DoS
10579	bftpd chown overflow
10568	bftpd format string vulnerability
10027	bigconf
11051	BIND9 DoS
10728	Determine if Bind 9 is running
10605	BIND vulnerable to overflows
10886	BIND vulnerable to DNS storm
10329	BIND iquery overflow
10539	Useable remote name server
11152	BIND vulnerable to cached RR overflow
10028	Determine which version of BIND name daemon is running
10029	BIND vulnerable
10549	BIND vulnerable to ZXFR bug
10828	SysV /bin/login buffer overflow (rlogin)
10827	SysV /bin/login buffer overflow (telnet)
10383	bizdb1-search.cgi located
10927	BlackIce DoS (ping flood)
10030	Bonk
10031	bootparamd service
11082	Boozt index.cgi overflow
10686	BroadVision Physical Path Disclosure Vulnerability
10556	Broker FTP files listing
11130	BrowseGate HTTP headers overflows
11135	Bugbear worm
10389	Cart32 ChangeAdminPassword
10951	cachefsd overflow
10034	RedHat 6.0 cachemgr.cgi
10506	calendar_admin.pl
10035	Campas
11114	Canna Overflow
10388	Cassandra NNTP Server DoS
10032	CA Unicenter's File Transfer Service is running
10033	CA Unicenter's Transport Service is running
10724	Cayman DSL router one char login
10036	CDK Detect
10037	CERN httpd problem
10797	ColdFusion Debug Mode
10652	cfingerd format string attack
10038	Cfinger's search.**@host feature
10651	cfinger's version
10039	/cgi-bin directory browsable ?
10779	CGIEmail's CGICso (Send CSO via CGI) Command Execution Vulnerability
10780	CGIEmail's Cross Site Scripting Vulnerability (cgicso)
10552	cgiforum
10040	cgitest.exe buffer overrun
10041	Cobalt RaQ2 cgiwrap
10042	Chameleon SMTPd overflow
10043	Chargen
10044	Checkpoint FW-1 identification
10919	Check open ports
11011	Port 445 open when 139 is not
10561	cisco 675 http DoS
10045	Cisco 675 passwordless router
11014	Cisco Aironet Telnet DoS
11012	ATA-186 password circumvention / recovery
10545	Cisco Catalyst Web Execution
10046	Cisco DoS
10970	GSR ACL pub
10971	GSR ICMP unreachable
10700	Cisco IOS HTTP Configuration Arbitrary Administrative Access
10387	cisco http DoS
10754	Cisco password not set
10972	Multiple SSH vulnerabilities
10682	CISCO view-source DoS
11013	Cisco VoIP phones DoS
10942	Check for a Citrix server
11138	Citrix published applications
10047	CMail's MAIL FROM overflow
11073	readmsg.php detection
11190	overflow.cgi detection
10793	Cobalt Web Administration Server Detection
10713	CodeRed version X detection
10581	Cold Fusion Administration Page Overflow
10001	ColdFusion Vulnerability
10612	commerce.cgi
10048	Communigate Pro overflow
10746	Compaq WBEM Server Detection
10049	Count.cgi
10675	CheckPoint Firewall-1 Telnet Authentication Detection
10676	CheckPoint Firewall-1 Web Authentication Detection
10815	Web Server Cross Site Scripting
10973	CSCdi34061
10974	CSCdi36962
10975	CSCdp35794
10976	CSCds04747
10977	CSCds07326
10978	CSCds66191
10979	CSCdt46181
10980	CSCdt62732
10981	CSCdt65960
10982	CSCdt93866
10983	CSCdu20643
10984	CSCdu81936
10985	CSCdv48261
10986	CSCdw19195
10987	CSCdw67458
11056	CSCdy03429
10050	CSM Mail server MTA 'HELO' denial
10924	csSearch.cgi
10051	A CVS pserver is running
10922	CVS/Entries
10465	CVSWeb 1.80 gives a shell to cvs committers
10402	CVSWeb detection
10368	Dansie Shopping Cart backdoor
10052	Daytime
10871	DB2 DOS
11182	DB4Web directory traversal
11180	DB4Web TCP relay
10403	DBMan CGI server information leakage
10736	DCE Services Enumeration
10583	dcforum
10718	DCShop exposes sensitive files
10961	AirConnect Default Password
10962	Cabletron Web View Administrative Access
10963	Compaq Web Based Management Agent Proxy Vulnerability
11032	Directory Scanner
10820	F5 Device Default Support Password
10990	FTP Service Allows Any Username
10991	IIS Global.asa Retrieval
11003	IIS Possible Compromise
10993	IIS ASP.NET Application Trace Enabled
10994	IPSwitch IMail SMTP Buffer Overflow
10995	Sun JavaServer Default Admin Password
10996	JRun Sample Files
10997	JRun directory traversal
10998	Shiva LanRover Blank Password
10999	Linksys Router Default Password
11000	MPEi/X Default Accounts
11001	MRTG mrtg.cgi File Disclosure
10826	Unprotected Netware Management Portal
10819	PIX Firewall Manager Directory Traversal
10798	Unprotected PC Anywhere Service
10778	Unprotected SiteScope Service
11004	WhatsUp Gold Default Admin Account
11098	WS_FTP SITE CPWD Buffer Overflow
10053	DeepThroat
10054	Delegate overflow
10876	Delta UPS Daemon Detection
10663	DHCP server info gathering
11104	Directory Manager's edit_image.php
11017	directory.php
10679	directory pro web traversal
10438	Netwin's DMail ETRN overflow
10595	DNS AXFR
10056	/doc directory browsable ?
10518	/doc/packages directory browsable ?
10953	Authentication bypassing in Lotus Domino
10629	Lotus Domino administration databases
10058	Domino HTTP server exposes the set up of the filesystem
10059	Domino HTTP Denial
10057	Lotus Domino ?open Vulnerability
10450	Dragon FTP overflow
10451	Dragon telnet overflow
10833	dtspcd overflow
10060	Dumpenv
11075	dwhttpd format string
10061	Echo port open
11022	eDonkey detection
10928	EFTP buffer overflow
10933	EFTP tells if a given file exists
10510	EFTP carriage return DoS
11093	EFTP installation directory disclosure
10062	Eicon Diehl LAN ISDN modem DoS
10609	empower cgi path
10063	Eserv traversal
10775	E-Shopping Cart Arbitrary Command Execution (WebDiscount)
10361	SalesLogix Eviewer WebApp crash
10570	Unify eWave ServletExec 3.0C file upload
10064	Excite for WebServers
10002	IIS possible DoS using ExAir's advsearch
10003	IIS possible DoS using ExAir's query
10004	IIS possible DoS using ExAir's search
10558	Exchange Malformed MIME header
10755	Microsoft Exchange Public Folders Information Leak
11100	eXtremail format strings
10065	EZShopper 3.0
10066	FakeBO buffer overflow
11054	fakeidentd overflow
10837	FAQManager Arbitrary File Reading Vulnerability
10067	Faxsurvey
10838	FastCGI Echo.exe Cross Site Scripting
11026	Access Point detection
10069	Finger zero at host feature
11193	akfingerd
10070	Finger backdoor
10071	Finger cgi
10072	Finger dot at host feature
10534	FreeBSD 4.1.1 Finger
10068	Finger
10073	Finger redirection check
10788	Solaris finger disclosure
10074	Firewall/1 UDP port 0 DoS
10075	FormHandler.cgi
10076	formmail.pl
10782	Formmail Version Information Disclosure
10376	htimage.exe overflow
10078	Microsoft Frontpage 'authors' exploits
10497	Microsoft Frontpage DoS
10369	Microsoft Frontpage dvwssr.dll backdoor
10077	Microsoft Frontpage exploits
10699	IIS FrontPage DoS II
10405	shtml.exe reveals full path
11160	Windows Administrator NULL FTP password
10079	Anonymous FTP enabled
10080	Linux FTP backdoor
10081	FTP bounce check
10082	FTPd tells if a user exists
10083	FTP CWD ~root
10091	FTPGate traversal
10821	FTPD glob Heap Corruption
10648	ftp 'glob' overflow
10084	ftp USER, PASS or HELP overflow
10085	Ftp PASV denial of service
10086	Ftp PASV on connect crashes the FTP server
10467	ftp.pl shows the listing of any dir
10692	ftpd strtok() stack overflow
10087	FTP real path
10088	Writeable FTP root
10092	FTP Server type and version
10488	FTP Serv-U 2.5e DoS
10089	FTP ServU CWD overflow
10565	Serv-U Directory traversal
10090	FTP site exec
10653	Solaris FTPd tells if a user exists
11112	Generic FTP traversal
10929	FTP Windows 98 MS/DOS device names DOS
11045	Passwordless Zaurus FTP server
11115	gallery code injection
10093	GateCrasher
10420	Gauntlet overflow
11037	WEB-INF folder accessible
10094	GirlFriend
10095	glimpse
10408	Insecure Napster clone
10946	Gnutella servent detection
10690	GoodTech ftpd DoS
10097	GroupWise buffer overflow
10877	GroupWise Web Interface 'HELP' hole
10873	GroupWise Web Interface 'HTMLVER' hole
10098	guestbook.cgi
10099	guestbook.pl
10694	GuildFTPD Directory Traversal
10471	Guild FTPd tells if a given file exists
10100	Handler
10731	HealthD detection
10101	Home Free search.cgi directory traversal
10102	HotSync Manager Denial of Service attack
10103	HP LaserJet display hack
10104	HP LaserJet direct print
10490	hpux ftpd PASS vulnerability
10606	HSWeb document path
10602	hsx directory traversal
10105	htdig
10495	htgrep
10106	Htmlscript
10784	ht://Dig's htsearch potential exposure/dos
10385	ht://Dig's htsearch reveals web server path
10527	Boa file retrieval
10484	Read any file thanks to ~nobody/
10890	HTTP NIDS evasion
10498	Test HTTP dangerous methods
10763	Detect the HTTP RPC endpoint mapper
11040	HTTP TRACE
10582	HTTP version spoken
10107	HTTP Server type and version
10930	HTTP Windows 98 MS/DOS device names DOS
10533	Web Shopper remote file retrieval
10532	eXtropia Web Store remote file retrieval
10108	Hyperbomb
10109	SCO i2odialogd buffer overrun
11083	ibillpm.pl
10799	IBM-HTTP-Server View Code
10112	icat
10410	ICEcap default password
11044	ICECast FileSystem disclosure
10600	ICECast Format String
10110	iChat
10113	icmp netmask request
10114	icmp timestamp request
10347	ICQ Denial of Service attack
10115	idq.dll directory traversal
10889	NIDS evasion
10661	IIS 5 .printer ISAPI filter applied
10657	NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability
10572	IIS 5.0 Sample App vulnerable to cross-site scripting attack
10573	IIS 5.0 Sample App reveals physical path of web root
10358	/iisadmin is world readable
10492	IIS IDA/IDQ Path Disclosure
10935	IIS ASP ISAPI filter Overflow
10371	/iisadmpwd/aexp2.htr
10577	Check for bdir.htr files
10116	IIS buffer overflow
10956	Codebrws.asp Source Disclosure Vulnerability
10117	IIS 'GET ../../'
10671	IIS Remote Command Execution
10537	IIS directory traversal
10406	IIS Malformed Extension Data in URL
10575	Check for IIS .cnf file leakage
10680	Test Microsoft IIS Source Fragment Disclosure
10937	IIS FrontPage ISAPI Denial of Service
10585	IIS FrontPage DoS
10118	IIS FTP server crash
10932	IIS .HTR ISAPI filter applied
11028	IIS .HTR overflow
10695	IIS .IDA ISAPI filter applied
10685	IIS ISAPI Overflow
10119	NT IIS Malformed HTTP Request Header DoS Vulnerability
10759	Content-Location HTTP Header
10120	IIS perl.exe problem
10667	IIS 5.0 PROPFIND Vulnerability
10631	IIS propfind DoS
10372	/scripts/repost.asp
10370	IIS dangerous sample files
10121	/scripts directory browsable
10576	Check for dangerous IIS default files
10732	IIS 5.0 WebDav Memory Leakage
10936	IIS XSS via 404 error
11142	IIS XSS via error
10941	IPSEC IKE check
10122	imagemap.exe
10496	Imail Host: overflow
10123	Imail's imap buffer overflow
10124	Imail's imonitor buffer overflow
10625	IMAP4rev1 buffer overflow after logon
10966	IMAP4buffer overflow in the BODY command
10125	Imap buffer overflow
10435	Imate HELO overflow
10801	IMP Session Hijacking Bug
10126	in.fingerd pipe
10127	info2www
10805	Informix traversal
10128	infosrch.cgi
10436	INN version check (2)
10129	INN version check
11128	redhat Interchange
10353	Interscan 3.32 SMTP Denial
10733	InterScan VirusWall Remote Configuration Vulnerability
10111	iParty
11068	iPlanet chunked encoding
10130	ipop2d buffer overflow
10589	iPlanet Directory Server traversal
11043	iPlanet Search Engine File Viewing
10683	iPlanet Certificate Management Traversal
10469	ipop2d reads arbitrary files
10455	Buffer Overrun in ITHouse Mail Server v1.04
10538	iWS shtml overflow
11047	Jigsaw webserver MS/DOS device DoS
10131	jj cgi
10604	Allaire JRun Directory Listing
10814	Allaire JRun directory browsing vulnerability
10444	JRun's viewsource.jsp
10957	JServ Cross Site Scripting
10925	Oracle Jserv Executes outside of doc_root
10751	Kazaa / Morpheus Client Detection
11166	KF Web Server /%00 bug
10375	Ken! DoS
10411	klogind overflow
10640	Kerberos PingPong attack
10132	Kuang2 the Virus
10541	KW whois
10796	scan for LaBrea tarpitted hosts
11063	LabView web server DoS
10133	Land
10378	LCDproc buffer overflow
10379	LCDproc server detection
10722	LDAP allows null bases
10723	LDAP allows anonymous binds
10812	libgtop_daemon format string
11122	Libwhisker options
10135	LinuxConf grants network access
10134	Linux 2.1.89 - 2.2.3 : 0 length fragment bug
10646	Lion worm
10769	Checks for listrec.pl
11155	LiteServe URL Decoding DoS
11005	LocalWeb2000 remote read
10870	Login configurations
10543	Lotus Domino SMTP overflow
10419	Lotus MAIL FROM overflow
10795	Lotus Notes ?OpenServer Information Disclosure
11009	Lotus Domino Banner Information Disclosure Vulnerability
11023	lpd, dvips and remote command execution
10727	Buffer overflow in Solaris in.lpd
10522	LPRng malformed input
10566	mmstdod.cgi
10641	mailnews.cgi
10635	Marconi ASX DoS
10562	Master Index directory traversal vulnerability
10137	MDaemon DoS
10136	MDaemon crash
10138	MDaemon Webconfig crash
10139	MDaemon Worldclient crash
10422	MDBMS overflow
10140	MediaHouse Statistic Server Buffer Overflow
10748	Mediahouse Statistics Web Server Detect
10620	EXPN overflow
10382	Atrium Mercur Mailserver
10346	Mercur WebView WebClient
10141	MetaInfo servers
10473	MiniVend Piped command
10735	Generic flood
11133	Generic format string
10359	ctss.idc check
11124	mldonkey telnet
11125	mldonkey www
10947	mod_python handle abuse
11039	mod_ssl off by one
10888	mod_ssl overflow
10357	RDS / MDAC Vulnerability (msadcs.dll) located
11161	RDS / MDAC Vulnerability Content-Type overflow
10939	MSDTC denial of service by flooding with nul bytes
10934	MS FTPd DoS
10356	Microsoft's Index server reveals ASP source code
10142	MS Personal WebServer ...
10143	MSQL CGI overflow
11159	MS RPC Services null pointer reference DoS
11018	MS Site Server Information Leak
10885	MS SMTP DoS
10673	Microsoft's SQL Blank Password
10862	Microsoft's SQL Server Brute Force
11067	Microsoft's SQL Hello Overflow
10674	Microsoft's SQL UDP Info Query
10144	Microsoft's SQL TCP/IP listener is running
10145	Microsoft's SQL TCP/IP denial of service
10390	mstream agent Detect
10391	mstream handler Detect
10418	Standard & Poors detection
10516	multihtml cgi
10822	Multiple WarFTPd DoS
10707	McAfee myCIO detection
10706	McAfee myCIO Directory Traversal
10343	MySQLs accepts any password
10626	MySQL various flaws
11192	multiple MySQL flaws
10481	Unpassworded MySQL
10719	MySQL Server version
10424	NAI Management Agent leaks info
10425	NAI Management Agent overflow
10344	Detect the presence of Napster
10761	Detect CIS ports
10721	ncbook/book.cgi
10665	tektronix's _ncl_items.shtml
10146	Tektronix /ncl_items.html
10988	Netware NDS Object Enumeration
10739	Novell Web Server NDS Tree Browsing
10147	A Nessus Daemon is running
10148	Nestea
10494	Netauth
10149	NetBeans Java IDE
10150	Using NetBIOS to retrieve information from a Windows host
10152	NetBus 2.x
10151	NetBus 1.x
11020	NetCommerce SQL injection
10154	Netscape Enterprise 'Accept' buffer overflow
10468	Netscape Administration Server admin password
10155	Netscape Enterprise Server DoS
10689	Netscape Enterprise '../' buffer overflow
10691	Netscape Enterprise INDEX request problem
10156	Netscape FastTrack 'get'
10580	netscape imap buffer overflow after logon
10153	Netscape Server ?PageServices bug
10681	Netscape Messenging Server User List
10364	netscape publishingXpert 2 PSUser problem
10352	Netscape Server ?wp bug
10005	NetSphere
10157	netstat
11106	NetTools command execution
11158	Novell NetWare HTTP POST Perl Code Execution Vulnerability
10360	newdsn.exe check
10586	news desk
10767	Tests for Nimda Worm infected HTML files
10251	rpc.nisd overflow
10158	NIS server
11033	Misc information on News server
10159	News Server type and version
10386	No 404 check
10160	Nortel Contivity DoS
10989	Nortel/Bay Networks default password
10528	Nortel Networks passwordless router (manager level)
10529	Nortel Networks passwordless router (user level)
10162	Notes MTA denial
10167	NTMail3 spam feature
10163	Novell Border Manager
10789	Novell Groupwise WebAcc Information Disclosure
10164	nph-publish.cgi
10165	nph-test-cgi
10540	NSM format strings vulnerability
10168	Detect talkd server port and protocol version
10166	Windows NT ftp 'guest' account
10884	NTP read variables
10647	ntpd overflow
11183	HTTP negative Content-Length buffer overflow
10654	Oracle Application Server Overflow
11074	OfficeScan configuration file disclosure
10716	OmniPro HTTPd 2.08 scripts source full disclosure
10578	Oops buffer overflow
10169	OpenLink web config buffer overflow
10608	OpenSSH 2.3.1 authentication bypass vulnerability
10802	OpenSSH < 3.0.1
11031	OpenSSH <= 3.3
10771	OpenSSH 2.5.x -> 2.9.x adv.option
10954	OpenSSH AFS/Kerberos ticket/token passing
10883	OpenSSH Channel Code Off by 1
10823	OpenSSH UseLogin Environment Variables
10439	OpenSSH < 2.1.1 UseLogin feature
11060	OpenSSL overflow (generic test)
10848	Oracle 9iAS Dynamic Monitoring Services
11076	Oracle webcache admin interface
11081	Oracle9iAS too long URL
10849	Oracle 9iAS DAD Admin interface
10850	Oracle 9iAS Globals.jsa access
10851	Oracle 9iAS Java Process Manager
10852	Oracle 9iAS Jsp Source File Reading
10853	Oracle 9iAS mod_plsql cross site scripting
10840	Oracle 9iAS mod_plsql Buffer Overflow
10854	Oracle 9iAS mod_plsql directory traversal
10855	Oracle XSQLServlet XSQLConfig.xml File
10808	DoSable Oracle WebCache server
10737	Oracle Applications One-Hour Install Detect
10660	Oracle tnslsnr security
10658	Oracle tnslsnr version query
10738	Oracle Web Administration Server Detection
10594	Oracle XSQL Stylesheet Vulnerability
10613	Oracle XSQL Sample Application Vulnerability
10636	Orange DoS
10170	OShare
10773	MacOS X Finder reveals contents of Apache Web files
10756	MacOS X Finder reveals contents of Apache Web directories
10781	Outlook Web anonymous access
10348	ows-bin
10171	Oracle Web Server denial of Service
10591	pagelog.cgi
10611	pals-cgi
10517	pam_smb / pam_ntdom overflow
10345	Passwordless Cayman DSL router
10172	Passwordless HP LaserJet
10006	PC Anywhere
10794	PC Anywhere TCP
10783	PCCS-Mysql User/Password Exposure
10511	/perl directory browsable ?
10664	perlcal
10173	perl interpreter can be launched as a CGI
10811	ActivePerl perlIS.dll Buffer Overflow
10174	pfdispaly
10508	PFTP login check
10442	NAI PGP Cert Server DoS
11070	PGPMail.pl detection
10175	Detect presence of PGPNet server and its version
10176	phf
10564	IIS phonebook
10593	phorum's common.cgi
10670	PHP3 Physical Path Disclosure Vulnerability
11050	php 4.2.x malformed POST
11008	PHP4 Physical Path Disclosure Vulnerability
11101	PHPAdsNew code injection
10839	PHP.EXE / Apache Win32 Arbitrary File Reading Vulnerability
10513	php file upload
10628	php IMAP overflow
10574	PHPix directory traversal vulnerability
10535	php log
11116	phpMyAdmin arbitrary files reading
10750	phpMyExplorer dir traversal
10177	php.cgi
10772	PHP-Nuke copying files security vulnerability (admin.php)
10630	PHP-Nuke security vulnerability (bb_smilies.php)
10810	PHP-Nuke Gallery Add-on File View
10655	PHP-Nuke' opendir
10856	PHP-Nuke sql_debug Information Disclosure
10178	php.cgi buffer overrun
11117	phpPgAdmin arbitrary files reading
10831	PHP Rocket Add-in File Traversal
10701	php safemode
10867	php POST file uploads
11099	Pi3Web Webserver v2.0 Buffer Overflow
10618	Pi3Web tstisap.dll overflow
10179	pimp
10968	ping.asp
10180	Ping the remote host
10381	Piranha's RH6.2 default password
10181	PlusMail vulnerability
10182	Livingston Portmaster crash
10183	pnserver crash
10341	Pocsag password
10459	Poll It v2.0 cgi
10184	Various pop3 overflows
11080	poprelayd & sendmail authentication problem
10185	POP3 Server type and version
10186	Portal of Doom
10879	Shell Command Execution Vulnerability
10483	Unpassworded PostgreSQL
10187	Cognos Powerplay WE Vulnerability
10776	Power Up Information Disclosure
10622	PPTP detection and versioning
10188	printenv
10649	processit
10634	proftpd exhaustion attack
10189	proftpd mkdir buffer overflow
10190	ProFTPd buffer overflow
10464	proftpd 1.2.0preN check
10191	ProFTPd pre6 buffer overflow
10192	Proxy accepts CONNECT requests
10193	Usable remote proxy on any port
10194	Proxy accepts POST requests
10195	Usable remote proxy
11024	p-smash DoS (ICMP 9 flood)
11085	Personal Web Sharing overflow
11134	QMTP
10948	qpopper options buffer overflow
10423	qpopper euidl problem
10197	qpopper LIST buffer overflow
10196	qpopper buffer overflow
10931	Quake3 Arena 1.29 f/g DOS
10712	quickstore traversal
10198	Quote of the day
11123	radmin detection
10199	RealServer Ramgen crash (ramcrash)
10730	Raptor FW version 6.5 detection
11057	Raptor Weak ISN
10921	RemotelyAnywhere SSH detection
10920	RemotelyAnywhere WWW detection
10521	Extent RBS ISP
10554	RealServer Memory Content Disclosure
10200	RealServer G2 buffer overrun
10461	Check for RealServer DoS
10377	RealServer denial of Service
10201	Relative IP Identification number change
10202	remwatch
11048	Resin DOS device path disclosure
10656	Resin traversal
10203	rexecd
10392	rfparalyze
10204	rfpoison
11006	RedHat 6.2 inetd
10874	Rich Media E-Commerce Stores Sensitive Information Insecurely
10161	rlogin -froot
10205	rlogin
10627	ROADS' search.pl
10421	Rockliffe's MailSite overflow
10206	Rover pop3 overflow
10207	Roxen counter module
10479	Roxen Server /%00/ bug
10208	3270 mapper service
10210	alis service
10211	amd service
10212	automountd service
10213	cmsd service
10214	database service
10215	etherstatd service
10216	fam service
11111	rpcinfo -p
10832	Kcms Profile Server
10217	keyserv service
10218	llockmgr service
10219	nfsd service
10220	nlockmgr service
10221	nsed service
10222	nsemntd service
10223	RPC portmapper
10224	rexd service
10225	rje mapper service
10226	rquotad service
10227	rstatd service
10228	rusersd service
10229	sadmin service
10230	sched service
10231	selection service
10232	showfhd service
10233	snmp service
10234	sprayd service
10235	statd service
10236	statmon service
10237	sunlink mapper service
10238	tfsd service
10787	tooltalk format string
10239	tooltalk service
10240	walld service
10209	X25 service
10241	ypbind service
10242	yppasswd service
10243	ypupdated service
10244	ypxfrd service
10340	rpm_query CGI
10245	rsh
10096	rsh with null username
10380	rsh on finger output
10762	RTSP Server type and version
11058	rusersd output
10950	rpc.walld format string
10804	rwhois format string attack (2)
10790	rwhois format string attack
10786	Samba Remote Arbitrary File Creation
11113	Samba Buffer Overflow
10246	Sambar Web Server CGI scripts
11131	Sambar web server DOS
10417	Sambar /cgi-bin/mailit.pl installed ?
10711	Sambar webserver pagecount hole
10514	Directory listing through Sambar's search.dll
10415	Sambar sendmail /session/sendmail
10416	Sambar /sysadmin directory 2
11168	Samba Unicode Buffer Overflow
10623	Savant original form CGI access
11174	HTTP negative Content-Length DoS
10633	Savant DoS
10453	sawmill allows the reading of the first line of any file
10454	sawmill password
10720	sdbsearch.cgi
10710	Checkpoint SecuRemote information leakage
10617	Checkpoint SecureRemote detection
10637	Sedum DoS
10809	Sendmail -bt option
11086	Sendmail custom configuration file
11088	Sendmail debug mode leak
10247	Sendmail DEBUG
10248	Sendmail 'decode' flaw
10249	EXPN and VRFY commands
10278	Sendmail 8.6.9 ident
10729	Sendmail 8.11 local overflow
10055	Sendmail 8.8.3 and 8.8.4 mime conversion overflow
10588	Sendmail mime overflow
11087	Sendmail queue manipulation & destruction
10250	Sendmail redirection check
10614	sendtemp.pl
10958	ServletExec 4.1 ISAPI DoS
10959	ServletExec 4.1 ISAPI File Reading
10960	ServletExec 4.1 ISAPI Physical Path Disclosure
11021	irix rpc.passwd overflow
10770	sglMerchant Information Disclosure Vulnerability
10350	Shaft Detect
10967	Shambala web server DoS
10252	Shells in /cgi-bin
10500	Shiva Integrator Default Password
10764	Shopping Cart Arbitrary Command Execution (Hassan)
10774	ShopPlus Arbitrary Command Execution
10717	SHOUTcast Server DoS detector vulnerability
10007	ShowCode possible
10437	NFS export
10847	SilverStream database structure
10846	SilverStream directory listing
11035	AnalogX SimpleServer:WWW DoS
10705	SimpleServer remote execution
10740	SiteScope Web Managegment Server Detect
10741	SiteScope Web Administration Server Detection
10253	Cobalt siteUserMod cgi
10725	SIX Webboard's generate.cgi
10255	SLMail:27 denial of service
10256	SLMail MTA 'HELO' denial
10254	SLMail denial of service
10257	SmartServer pop3 overflow
10396	SMB shares access
10524	SMB Windows9x password verification vulnerability
10414	WinLogon.exe DoS
10398	SMB get domain SID
10456	SMB enum services
10395	SMB shares enumeration
10901	Users in the 'Account Operator' group
10902	Users in the Admin group
10904	Users in the 'Backup Operator' group
10908	Users in the Domain Admin group
10905	Users in the 'Print Operator' group
10906	Users in the 'Replicator' group
10349	sojourn.cgi
10907	Guest belongs to a group
10903	Users in the 'System Operator' group
10859	SMB get host SID
10397	SMB LanMan Pipe Server browse listing
10911	Local users information : automatically disabled accounts
10912	Local users information : Can't change password
10913	Local users information : disabled accounts
10914	Local users information : Never changed password
10915	Local users information : User has never logged on
10916	Local users information : Passwords never expires
10404	SMB log in as users
10394	SMB log in
10642	SMB Registry : SQL7 Patches
10785	SMB NativeLanMan
10893	Obtains the lists of users aliases
10894	Obtains the lists of users groups
10910	Obtains local user information
10892	Obtains user information
10433	NT IP fragment reassembly patch not applied (jolt2)
10434	NT ResetBrowser frame & HostAnnouncement flood patc
10482	NetBIOS Name Server Protocol Spoofing patch
10486	Relative Shell Path patch
10485	Service Control Manager Named Pipe Impersonation patch
10499	Local Security Policy Corruption
10504	Still Image Service Privilege Escalation patch
10509	Malformed RPC Packet patch
10519	Telnet Client NTLM Authentication Vulnerability
10525	LPC and LPC Ports Vulnerabilities patch
10632	Webserver file request parsing
10555	Domain account lockout vulnerability
10563	Incomplete TCP/IP packet vulnerability
10603	Winsock Mutex vulnerability
10693	NTLMSSP Privilege Escalation
10615	Malformed PPTP Packet Stream vulnerability
10619	Malformed request to domain controller
10668	Malformed request to index server
10734	IrDA access violation patch
10806	RPC Endpoint Mapper can Cause RPC Service to Fail
10861	IE 5.01 5.5 6.0 Cumulative patch Q324929
10865	Checks for MS HOTFIX for snmp buffer overruns
10866	XML Core Services patch (Q318203)
10926	IE VBScript Handling patch (Q318089)
10945	Opening Group Policy Files (Q318089)
10944	MUP overlong request kernel overflow Patch (Q311967)
10943	Cumulative Patch for Internet Information Services (Q327696)
10964	Windows Debugger flaw can Lead to Elevated Privileges (Q320206)
11143	Exchange 2000 Exhaust CPU Resources (Q320436)
11029	Windows RAS overflow (Q318138)
11091	Windows Network Manager Privilege Elevation (Q326886)
11144	Flaw in Certificate Enrollment Control (Q323172)
11145	Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)
11146	Microsoft RDP flaws could allow sniffing and DOS(Q324380)
11177	Flaw in Microsoft VM JDBC Classes Could Allow Code Execution (Q329077)
11148	Unchecked Buffer in Decompression Functions(Q329048)
11147	Unchecked Buffer in Windows Help(Q323255)
11178	Unchecked Buffer in PPTP Implementation Could Enable DOS Attacks (Q329834)
11191	WM_TIMER Message Handler Privilege Elevation (Q328310)
11110	SMB null param count DoS
10412	SMB Registry : Autologon
10427	SMB Registry : permissions of HKLM
10400	SMB accessible registry
10428	SMB fully accessible registry
10431	SMB Registry : missing winreg
10413	SMB Registry : is the remote host a PDC/BDC
10567	SMB Registry : permissions of the RAS key
10430	SMB Registry : permissions of keys that can lead to admin
10426	SMB Registry : permissions of Schedule
10401	SMB Registry : NT4 Service Pack version
10531	SMB Registry : Win2k Service Pack version
11119	SMB Registry : XP Service Pack version
10449	SMB Registry : value of SFCDisable
10432	SMB Registry : permissions of keys that can change common paths
10429	SMB Registry : permissions of winlogon
10553	SMB Registry : permissions of WinVNC's key
10917	SMB Scope
10860	SMB use host SID to enumerate local users
10399	SMB use domain SID to enumerate users
10457	The alerter service is running
10458	The messenger service is running
10895	Users information : automatically disabled accounts
10896	Users information : Can't change password
10897	Users information : disabled accounts
10898	Users information : Never changed password
10899	Users information : User has never logged on
10900	Users information : Passwords never expires
10835	Unchecked Buffer in XP upnp
11141	Crash SMC AP
11034	SMTP antivirus filter
11036	SMTP antivirus scanner DoS
10258	Sendmail's from piped program
10520	PIX's smtp content filtering
10259	Sendmail mailing to files
10260	HELO overflow
10703	SMTP Authentication Error
11053	IMC SMTP EHLO Buffer Overrun
10261	Sendmail mailing to programs
10262	Mail relaying
10263	SMTP Server type and version
11038	SMTP settings
11079	Snapstream PVS web directory traversal
10969	Obtain Cisco type via SNMP
10264	Default community names of the SNMP Agent
10265	An SNMP Agent is running
10266	UDP null size going to SNMP DoS
10551	Obtain network interfaces list via SNMP
10547	Enumerate Lanman services via SNMP
10548	Enumerate Lanman shares via SNMP
10546	Enumerate Lanman users via SNMP
10857	SNMP bad length field DoS
10858	SNMP bad length field DoS (2)
10550	Obtain processes list via SNMP
10800	Obtain OS type via SNMP
10688	SNMP VACM
10659	snmpXdmid overflow
11126	SOCKS4A hostname overflow
11164	SOCKS4 username overflow
10393	spin_client.cgi buffer overrun
11139	wpoison (nasl version)
10765	SQLQHit Directory Structure Disclosure
10768	DoSable squid proxy server
10923	Squid overflows
11066	SunSolve CD CGI user input validation
10882	SSH protocol version 1 enabled
10708	SSH 3.0.0
10965	SSH 3 AllowedAuthentication
10607	SSH1 CRC-32 compensation attack
10267	SSH Server type and version
10268	SSH Insertion Attack
10472	SSH Kerberos issue
10269	SSH Overflow
10881	SSH protocol versions supported
11169	SSH setsid() vulnerability
10270	Stacheldraht Detect
10544	format string attack against statd
10639	store.cgi
10817	Interactive Story Directory Traversal Vulnerability
10271	stream.c
10803	Redhat Stronghold File System Disclosure
10409	SubSeven
10878	Sun Cobalt Adaptive Firewall Detection
10272	SunKill
10503	Reading CGI script sources using /cgi-bin-sdb
10560	SuSE's identd overflow
10273	Detect SWAT server port
10590	SWAT allows user names to be obtained by brute force
10493	SWC Overflow
11171	SWS unfinished line DoS
10274	SyGate Backdoor
10275	Systat
10276	TCP Chorusing
10279	Teardrop
10584	technote's main.cgi
10280	Telnet
10281	Detect Server type and version via Telnet
10474	GAMSoft TelSrv 1.4/1.5 Overflow
10709	TESO in.telnetd buffer overflow
10282	test-cgi
10283	TFN Detect
10284	TFS SMTP 3.2 MAIL FROM overflow
10285	thttpd 2.04 buffer overflow
10286	thttpd flaw
10523	thttpd ssi file retrieval
10596	Tinyproxy heap overflow
11059	Trend Micro OfficeScan Denial of service
10477	Tomcat's /admin is world readable
11150	Tomcat servlet engine MD/DOS device names denial of service
10807	Jakarta Tomcat Path Disclosure
10478	Tomcat's snoop servlet gives too much information
11176	Tomcat 4.x JSP Source Exposure
10672	Unknown CGIs arguments torture
10287	Traceroute
10491	ASP/ASA source using Microsoft Translate f: bug
10501	Trinity v3 Detect
10288	Trin00 Detect
10743	Tripwire for Webpages Detection
10696	ttawebtop
11136	/bin/login overflow exploitation
11097	TypSoft FTP STOR/RETR DoS
11140	UDDI detection
10791	Ultraseek Web Server Detect
10542	UltraSeek 3.1.x Remote DoS
10289	Microsoft Media Server 4.1 - DoS
10290	Upload cgi
10291	uploader.exe
10829	scan for UPNP hosts
10645	ustorekeeper
10292	uw-imap buffer overflow
10374	uw-imap buffer overflow after logon
11179	vBulletin's Calender Command Execution Vulnerability
10293	vftpd buffer overflow
10294	view_source
11107	viralator
10295	OmniHTTPd visadmin exploit
10744	VisualRoute Web Server Detection
10758	Check for VNC HTTP
10342	Check for VNC
11165	vpasswd.cgi
10463	vpopmail input validation bug
10354	vqServer administrative port
10355	vqServer web traversal vulnerability
10650	VirusWall's catinfo overflow
11184	vxworks ftpd buffer overflow Denial of Service
11185	vxworks ftpd buffer overflow
10296	w3-msql overflow
10610	way-board
10470	WebActive world readable log file
10816	Webalizer Cross Site Scripting Vulnerability
11095	webcart.cgi
10298	Webcart misconfiguration
10526	IIS : Directory listing through WebDAV
10505	Directory listing through WebDAV
10299	webdist.cgi
10592	webdriver
10475	Buffer overflow in WebSitePro webfind.exe
10300	webgais
10697	WebLogic Server DoS
10698	WebLogic Server /%00/ bug
10757	Check for Webmin
10662	Web mirroring
10367	TalentSoft Web+ Input Validation Bug Vulnerability
10373	TalentSoft Web+ version detection
11089	Webseal denial of service
10301	websendmail
11151	Webserver 4D Cleartext Passwords
10302	robot(s).txt exists on the Web Server
10557	WebShield
10008	WebSite 1.0 buffer overflow
10303	WebSite pro reveals the physical file path of web directories
10476	WebsitePro buffer overflow
10304	WebSpeed remote configuration
11181	WebSphere Host header overflow
11010	WebSphere Cross Site Scripting
10616	webspirs.cgi
10297	Web server traversal
10487	WFTP 2.41 rc11 multiple DoS
10466	WFTP RNTO DoS
10305	WFTP login check
10306	whois_raw
10365	Windmail.exe allows any user to execute arbitrary commands
10940	Windows Terminal Service Enabled
10310	Wingate denial of service
10309	Passwordless Wingate installed
10311	Wingate POP3 USER overflow
10312	WindowsNT DNS flood denial
10313	WindowsNT PPTP flood denial
10314	Winnuke
10316	WinSATAN
10315	WINS UDP flood denial
10307	Trin00 for Windows Detect
11108	Omron WorldView Wnn Overflow
10745	WorldClient for MDaemon Server Detection
11049	Worldspan gateway DOS
10317	wrap
11167	Webserver4everyone too long URL
11094	WS FTP overflows
10318	wu-ftpd buffer overflow
10452	wu-ftpd SITE EXEC vulnerability
10319	wu-ftpd SITE NEWER vulnerability
10321	wwwboard passwd.txt
11084	Infinite HTTP request
10515	Too long authorization
11077	HTTP Cookie overflow
11127	HTTP 1.0 header overflow
11129	HTTP 1.1 header overflow
11078	HTTP header overflow
11065	HTTP method overflow
10687	Too long POST command
10320	Too long URL
11069	HTTP User-Agent overflow
11061	HTTP version number overflow
10597	wwwwais
10891	X Display Manager Control Protocol (XDMCP)
11015	Xerver web server DOS
11188	X Font Service Buffer Overflow
10322	Xitami Web Server buffer overflow
10559	XMail APOP Overflow
10407	X Server
11121	xtel detection
11120	xtelw detection
10323	XTramail control denial
10324	XTramil MTA 'HELO' denial
10325	Xtramail pop3 overflow
10512	YaBB
11016	xtux server detection
10326	Yahoo Messenger Denial of Service attack
10684	yppasswdd overflow
10327	Zeus shows the content of the cgi scripts
10830	zml.cgi Directory Traversal
10702	Zope DoS
10569	Zope Image updating Method
10447	Zope DocumentTemplate package problem
10777	Zope ZClass permission mapping bug
10714	Default password router Zyxel
10328	Default accounts
10330	Services
10331	FTP bounce scan
10332	ftp writeable directories
10909	Brute force login (Hydra)
10333	Linux TFTP get file
10335	tcp connect() scan
10336	Nmap
10384	IRIX Objectserver
10337	QueSO
10338	smad
10863	SSL ciphers
10339	TFTP get file

Preferences settings for this scan

max_hosts		16
max_checks		10
log_whole_attack		yes
report_killed_plugins		yes
cgi_path		/cgi-bin
port_range		1-1024
optimize_test		yes
language		english
per_user_base		/usr/local/var/nessus/users
checks_read_timeout		5
delay_between_tests		1
non_simult_ports		139, 445
plugins_timeout		320
safe_checks		yes
auto_enable_dependencies		yes
use_mac_addr		no
save_knowledge_base		no
kb_restore		no
only_test_hosts_whose_kb_we_dont_have		no
only_test_hosts_whose_kb_we_have		no
kb_dont_replay_scanners		no
kb_dont_replay_info_gathering		no
kb_dont_replay_attacks		no
kb_dont_replay_denials		no
kb_max_age		864000
plugin_upload		no
plugin_upload_suffixes		.nasl
admin_user		root
ntp_save_sessions		yes
ntp_detached_sessions		yes
server_info_nessusd_version		1.2.7
server_info_libnasl_version		1.2.7
server_info_libnessus_version		1.2.7
server_info_thread_manager		fork
server_info_os		Linux
server_info_os_version		2.4.18-3
reverse_lookup		no
ntp_keep_communication_alive		yes
ntp_opt_show_end		yes
save_session		no
detached_scan		no
continuous_scan		no

Summary of scanned hosts

Host	Holes	Warnings	Open ports	State
10.1.1.108	7	44	15	Finished

10.1.1.108

Service	Severity	Description
netbios-ns (137/udp)	Info	Port is open
unknown (135/tcp)	Info	Port is open
netbios-ssn (139/tcp)	Info	Port is open
https (443/tcp)	Info	Port is open
microsoft-ds (445/tcp)	Info	Port is open
unknown (1029/tcp)	Info	Port is open
general/tcp	Info	Port is open
unknown (1028/udp)	Info	Port is open
general/icmp	Info	Port is open
general/udp	Info	Port is open
unknown (1026/tcp)	Info	Port is open
ms-sql-s (1433/tcp)	Info	Port is open
ms-sql-m (1434/udp)	Info	Port is open
unknown (1025/tcp)	Info	Port is open
http (80/tcp)	Info	Port is open
netbios-ssn (139/tcp)	High	. It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html . All the smb tests will be done as ''/'' in domain WORKGROUP CVE : CVE-2000-0222
http (80/tcp)	High	The IIS server appears to have the .SHTML ISAPI filter mapped. At least one remote vulnerability has been discovered for the .SHTML filter. This is detailed in Microsoft Advisory MS02-018 and results in a denial of service access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .SHTML extension, and any other unused ISAPI extensions if they are not required for the operation of your site. An attacker may use this flaw to prevent the remote service from working properly. *** Nessus reports this vulnerability using only *** information that was gatherered. Use caution *** when testing without safe checks enabled Solution: See http://www.microsoft.com/technet/security/bulletin/ms02-018.asp and/or unmap the shtml/shtm isapi filters. To unmap the .shtml extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .shtml/shtm and sht from the list. Risk factor : Medium CVE : CAN-2002-0072
ms-sql-s (1433/tcp)	High	The remote MS SQL server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : Install Microsoft Patch Q316333 at http://support.microsoft.com/default.aspx?scid=kb en-us Q316333&sd=tech or disable the Microsoft SQL Server service or use a firewall to protect the MS SQL port (1433). CVE : CAN-2002-1123 Risk factor : High CVE : CAN-2002-1123
http (80/tcp)	High	The IIS server appears to have the .HTR ISAPI filter mapped. At least one remote vulnerability has been discovered for the .HTR filter. This is detailed in Microsoft Advisory MS02-018, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .HTR extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Solution: To unmap the .HTR extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .htr from the list. Risk factor : High
http (80/tcp)	High	There's a buffer overflow in the remote web server through the ISAPI filter. It is possible to overflow the remote web server and execute commands as user SYSTEM. Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp Risk factor : High CVE : CVE-2001-0500
http (80/tcp)	High	The remote IIS server allows anyone to execute arbitrary commands by adding a unicode representation for the slash character in the requested path. Solution: See http://www.microsoft.com/technet/security/bulletin/ms00-078.asp Risk factor : High CVE : CVE-2000-0884
http (80/tcp)	High	When IIS receives a user request to run a script, it renders the request in a decoded canonical form, then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server. Solution: See MS advisory MS01-026(Superseded by ms01-044) See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp Risk factor : High CVE : CVE-2001-0333
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncalrpc[LRPC000001e0.00000001]
http (80/tcp)	Low	The remote web server appears to be running with Frontpage extensions. You should double check the configuration since a lot of security problems have been found with FrontPage when the configuration file is not well set up. Risk factor : High if your configuration file is not well set up CVE : CAN-2000-0114
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncacn_np:\\ltree108[\PIPE\INETINFO]
http (80/tcp)	Low	IIS 5 has support for the Internet Printing Protocol(IPP), which is enabled in a default install. The protocol is implemented in IIS5 as an ISAPI extension. At least one security problem (a buffer overflow) has been found with that extension in the past, so we recommend you disable it if you do not use this functionality. Solution: To unmap the .printer extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .printer from the list. Risk factor : Low
general/icmp	Low	The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524
http (80/tcp)	Low	The IIS server appears to have the .IDA ISAPI filter mapped. At least one remote vulnerability has been discovered for the .IDA (indexing service) filter. This is detailed in Microsoft Advisory MS01-033, and gives remote SYSTEM level access to the web server. It is recommended that even if you have patched this vulnerability that you unmap the .IDA extension, and any other unused ISAPI extensions if they are not required for the operation of your site. Solution: To unmap the .IDA extension: 1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .ida from the list. Risk factor : Medium CVE : CAN-2002-0071
netbios-ssn (139/tcp)	Low	The remote native lan manager is : Windows 2000 LAN Manager The remote Operating System is : Windows 5.0 The remote SMB Domain Name is : WORKGROUP
http (80/tcp)	Low	The address in Content-Location is: 10.1.1.108 CVE : CAN-2000-0649
http (80/tcp)	Low	IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions. An attacker may use this flaw to gain more information about the remote host, and hence make more focused attacks. Solution: Select 'Preferences ->Home directory ->Application', and check the checkbox 'Check if file exists' for the ISAPI mappings of your server. Risk factor : Low CVE : CAN-2000-0071
http (80/tcp)	Low	This IIS Server appears to be vulnerable to a Cross Site Scripting due to an error in the handling of overlong requests on an idc file. It is possible to inject Javascript in the URL, that will appear in the resulting page. Risk factor : Medium See also : http://online.securityfocus.com/bid/5900 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq&F=P&S=&P=1391
http (80/tcp)	Low	Asking the main page, a Content-Location header was added to the response. By default, in Internet Information Server (IIS) 4.0, the Content-Location references the IP address of the server rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. Solution: See http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP Risk factor : Low CVE : CAN-2000-0649
http (80/tcp)	Low	The remote web server type is : Microsoft-IIS/5.0 Solution : You can use urlscan to change reported server for IIS.
netbios-ssn (139/tcp)	Low	The host SID could be used to enumerate the names of the local users of this host. (we only enumerated users name whose ID is between 1000 and 1020 for performance reasons) This gives extra knowledge to an attacker, which is not a good thing : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - TsInternetUser (id 1000) - IUSR_VM2KSERVER (id 1001) - IWAM_VM2KSERVER (id 1002) Risk factor : Medium Solution : filter incoming connections this port CVE : CVE-2000-1200
ms-sql-m (1434/udp)	Low	Here is the reply to a MS SQL 'ping' request : uServerName ltree108 InstanceName MSSQLSERVER IsClustered No Version 8.00.194 tcp 1433 np \ltree108ipe\sqluery
netbios-ssn (139/tcp)	Low	The host SID can be obtained remotely. Its value is : ltree108 : 5-21-448539723-1708537768-1202660629 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200
ms-sql-s (1433/tcp)	Low	It is possible that Microsoft's SQL Server is installed on the remote computer. CVE : CAN-1999-0652
netbios-ssn (139/tcp)	Low	The domain SID can be obtained remotely. Its value is : WORKGROUP : 48-0-0-0-0 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200
general/tcp	Low	The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk factor : Low
http (80/tcp)	Low	The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request). The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code. Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high). Risk factor : Medium Solutions: Allaire/Macromedia Jrun: http://www.macromedia.com/software/jrun/download/update/ http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html Microsoft IIS: http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html Apache: http://httpd.apache.org/info/css-security/ ColdFusion: http://www.macromedia.com/v1/handlers/index.cfm?ID=23047 General: http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html http://www.cert.org/advisories/CA-2000-02.html
netbios-ssn (139/tcp)	Low	The following local accounts have never changed their password : Administrator TsInternetUser IUSR_VM2KSERVER IWAM_VM2KSERVER To minimize the risk of break-in, users should change their password regularly
netbios-ssn (139/tcp)	Low	The following local accounts have never logged in : Guest TsInternetUser Unused accounts are very helpful to hacker Solution : suppress these accounts Risk factor : Medium
netbios-ssn (139/tcp)	Low	The following local accounts have passwords which never expire : Administrator Guest TsInternetUser IUSR_VM2KSERVER IWAM_VM2KSERVER Password should have a limited lifetime Solution : disable password non-expiry Risk factor : Medium
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncalrpc[LRPC000002d8.00000001]
unknown (1026/tcp)	Low	A DCE service is listening on this port UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:10.1.1.108[1026]
https (443/tcp)	Low	An unknown service is running on this port. It is usually reserved for HTTPS
netbios-ssn (139/tcp)	Low	Here is the browse list of the remote host : INSTRUCTOR - LTREE1 - LTREE10 - LTREE101 - LTREE102 - LTREE103 - LTREE104 - LTREE105 - LTREE106 - LTREE107 - LTREE108 - LTREE109 - LTREE11 - LTREE110 - LTREE111 - LTREE112 - LTREE12 - LTREE125 - LTREE13 - LTREE15 - LTREE2 - LTREE3 - LTREE4 - LTREE5 - LTREE6 - LTREE7 - LTREE8 - LTREE9 - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncalrpc[LRPC000002d8.00000001]
general/udp	Low	For your information, here is the traceroute to 10.1.1.108 : 10.1.1.108
http (80/tcp)	Low	A web server is running on this port
unknown (1026/tcp)	Low	A DCE service is listening on this port UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:10.1.1.108[1026]
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncalrpc[ntsvcs] Annotation: Messenger Service
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\ltree108[\PIPE\ntsvcs] Annotation: Messenger Service
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_np:\\ltree108[\PIPE\scerpc] Annotation: Messenger Service
unknown (1028/udp)	Low	A DCE service is listening on this port UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:10.1.1.108[1028] Annotation: Messenger Service
netbios-ns (137/udp)	Low	. The following 7 NetBIOS names have been gathered : LTREE108 = This is the computer name registered for workstation services by a WINS client. LTREE108 WORKGROUP = Workgroup / Domain name WORKGROUP = Workgroup / Domain name (part of the Browser elections) LTREE108 = Computer name that is registered for the messenger service on a computer that is a WINS client. INet~Services = Workgroup / Domain name (Domain Controller) IS~ltree108 = This is the computer name registered for workstation services by a WINS client. . The remote host has the following MAC address on its adapter : 0x00 0x50 0x56 0x40 0x42 0x3f If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncalrpc[OLE4]
unknown (135/tcp)	Low	A DCE service is listening on this host UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncalrpc[INETINFO_LPC]
unknown (1029/tcp)	Low	A DCE service is listening on this port UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2 Endpoint: ncacn_ip_tcp:10.1.1.108[1029]
general/tcp	Low	Nmap found that this host is running Windows Millennium Edition (Me), Win 2000, or WinXP
unknown (135/tcp)	Low	DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low
http (80/tcp)	Low	The following directories were discovered: /_vti_bin, /images The following directories require authentication: /printers
netbios-ssn (139/tcp)	Low	The following local accounts are disabled : Guest To minimize the risk of break-in, permanently disabled accounts should be deleted Risk factor : Low
http (80/tcp)	Low	This IIS Server appears to vulnerable to one of the cross site scripting attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary script into the page for execution. The presence of this vulnerability also indicates that you are vulnerable to the other issues identified in MS02-018 (various remote buffer overflow and cross site scripting attacks...) References: http://www.microsoft.com/technet/security/bulletin/MS02-018.asp http://jscript.dk/adv/TL001/ Risk factor : Medium CVE : CAN-2002-0074
unknown (1025/tcp)	Low	A DCE service is listening on this port UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint: ncacn_ip_tcp:10.1.1.108[1025]