Your Company Detailed Scan Results - April 2003

Host 192.168.0.103 ( http://www.your_company.nl )
Scan Type Enterprise
Start Date 13-Apr-03 11:54
End Date 13-Apr-03 16:43
Customer Ref YC103
Contact E-mail Role
janebloggs@yourcompany.com business

Open Ports Found: 7 (High:1 Low:6)

  Port No Protocol Service Details  
  53 tcp domain Closed Immediately with TCP FIN  
  80 tcp http Microsoft-IIS 5.0  
  443 tcp https Microsoft-IIS 5.0  
  53 udp domain Responce Received  
 NEW 161 udp snmp uptime 278411121 centiseconds  
 NEW 0 icmp echo reply Response Received  
 NEW 14 icmp timestamp reply Timestamp is 10:46:03  

Warning: You have high-risk (red) ports exposed to the internet. These may not represent a direct vulnerability but it is not common practice to expose these services. Consider restricting access to these ports. This will help to protect you against potential future vulnerabilities.


Ports Closed Since Last Month: 1 (High:0 Low:1)

  Port No Protocol Service Details  
  3053 udp dsom-server Response received  


Vulnerabilities Found: 7 (High:2 Medium:2 Low:3)

Vulnerability 10264 SNMP Default Community Names High Risk
Description The SNMP agent on the remote host uses one or more default or easily guessable community strings. This enables an attacker to extract a lot of useful information, and possibly make configuration changes to the server. A sample of the information that can be extracted:

host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.1 = "System Idle Process" host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.8 = "System" host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.168 = "SMSS.EXE" host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.192 = "CSRSS.EXE" host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.212 = "WINLOGON.EXE" host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.240 = "SERVICES.EXE"

 
Solution Change the community strings to something unguessable  
References CAN-1999-0186    CAN-1999-0254    CAN-1999-0516    CAN-1999-0517   
First Found 13 July 2002 Port 161/udp Last 6 Months

Vulnerability 11424 IIS WebDAV Buffer Overrun High Risk
Description The remote web server is an IIS server running WebDAV. This may be vulnerable to a buffer overrun when a malicious WebDAV request is sent. When running on an unpatched Windows 2000 server, a remote attacker with no authentication could use this to crash the server and execute arbitrary code.
Note: This may be a false positive as it is not possible to determine remotely if the patch has been applied.  
Solution Apply the patch from Microsoft. In addition we suggest you edit registry to disable WebDAV, following these instructions. If you do not disable WebDAV then this vulnerability will continue appearing until you stoplist it.  
References CAN-2003-0109    CERT Advisory CA-2003-09    Microsoft Security Bulletin MS03-007   
First Found 13 May 2002 Port 80/tcp Last 6 Months

Vulnerability 10661 .printer ISAPI Filter Enabled Medium Risk
Description The remote IIS server has the .printer (Internet Printing Protocol) filter enabled. At least one remote vulnerability has been discovered in this filter. To avoid crashing your server, we have not directly tested for the vulnerability and this may not be a real hole. However, as the filter is not usually required, you should turn it off as a matter of good practice.  
Solution If you don't require this filter, disable it. If it is required, make sure the latest patches are applied. 
References CVE-2001-0241    Microsoft Security Bulletin MS01-023   
First Found 13 February 2003 Port 80/tcp Last 6 Months

Vulnerability 10991 IIS global.asa Accessible Medium Risk
Description This web server allows retrieval of the /global.asa file, which may contain sensitive information such as database passwords, physical paths and configuration options. This vulnerability may be caused by a missing ISAPI map of the .asa extension to asp.dll. A sample of your global.asa file:

vti_encoding:SR|utf8-nl RealmName:fteap-gtrrss03a InheritPermissions:false PasswordDir:D:\\inetpub\\wwwroot\\huy\\_vti_pvt

 
Solution Restore the .asa map  
First Found 13 March 2003 Port 80/tcp Last 6 Months

Vulnerability 10077 Microsoft Frontpage Extensions Installed Low Risk
Description The remote web server appears to be running the Microsoft Frontpage extensions. These have had a history of insecurity, so you should carefully check that you have the latest patches applied. It is also common for Frontpage extentions to be insecure because they are misconfigured.  
Solution If you do not require FP extensions, disable them. If they are required, make sure the latest patches are applied. 
References CAN-2000-0114    Microsoft Knowledge Base Q813379    Microsoft Knowledge Base Q813380    Microsoft Security Bulletin MS02-018   
First Found 13 May 2002 Port No information available Last 6 Months

Vulnerability 10114 Host Responded to ICMP Timestamp Request  NEW Low Risk
Description The target host responded to an ICMP timestamp request. This allows an attacker to determine the exact time and date set on your server. This information could be used in attacks against time-based authentication protocols.  
Solution Either disable timestamp replies, or filter them at your firewall.  
References CAN-1999-0524   
First Found 13 May 2002 Port general/icmp Last 6 Months

Vulnerability 90001 Holes Detected in Firewall Configuration Low Risk
Description This host is protected by a firewall. Incoming TCP connections to most ports are blocked, however some ports were discovered where the firewall allows connections, but no service is running. This often indicates a firewall configuration error.
The affected ports are: 81,82 
Solution Reconfigure your firewall to block all ports that you are not running services on. 
References Firewalls FAQ   
First Found 13 March 2003 Port general/tcp Last 6 Months


Vulnerabilities Fixed Since Last Month: 1 (High:0 Medium:0 Low:1)

Vulnerability 10759 Private IP Address Leakage Low Risk
Description The remote web server returned headers containing an RFC 1918 private IP address. This exposes an internal IP address that would usually be masked by a proxy or NAT firewall. The information may be useful to an attacker trying to remotely map your network.
The private IP address is: 172.258.236.2  
Solution For IIS issue "adsutil set w3svc/UseHostName True" and restart 
References Bugtraq ID 1499    CAN-2000-0649    Microsoft Knowledge Base Q218180   
First Found 13 March 2003 Port 443/tcp Last 6 Months


Historical Information


Stoplisted Vulnerabilities for this Host: 2

Vulnerability 10539 Useable Remote Name Server Medium Risk
Description The remote name server allows recursive queries to be performed by one of our test machines. This allows anyone to use it to resolve third parties names. Remote users can also extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks.  
Solution Restrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives. 
References CVE-1999-0024   
First Found 13 March 2003 Port 53/udp Last 6 Months
Stopped By: janebloggs@yourcompany.com     From: 12 March 2003     To: 12 March 2006
Reason None specified

Vulnerability 12217 DNS Cache Snooping Low Risk
Description It is possible for remote attackers to see what domains have been queried through this nameserver, by issuing queries with the "no recursion" bit set. The server responds differently for hosts that have been recently resolved and are cached.  
Solution Restrict access to DNS caches to local users. 
References SideStep   
First Found 13 March 2003 Port 53/udp Last 6 Months
Stopped By: janebloggs@yourcompany.com     From: 12 March 2003     To: 12 March 2006
Reason None specified

Scans by Clearview Systems