bonsai.fr.nessus.org

Repartition of the level of the security problems :

List of open ports :

• ftp (21/tcp)
• smtp (25/tcp)
• www (80/tcp) (Security hole found)
• poppassd (106/tcp)
• pop-3 (110/tcp)
• unknown (135/tcp)
• netbios-ssn (139/tcp) (Security hole found)
• imap2 (143/tcp)
• unknown (389/tcp)
• https (443/tcp)
• unknown (554/tcp)
• snews (563/tcp)
• ssl-ldap (636/tcp)
• unknown (674/tcp)
• simap (993/tcp)
• unknown (1028/tcp)
• unknown (1032/tcp)
• unknown (1037/tcp)
• unknown (1190/tcp)
• unknown (2306/tcp)
• unknown (4040/tcp)
• unknown (5050/tcp)
• unknown (5228/tcp)
• unknown (7070/tcp)
• unknown (7802/tcp)
• unknown (8010/tcp)
• webcache (8080/tcp)
• unknown (8100/tcp)
• unknown (8570/tcp)
• unknown (9010/tcp)
• unknown (9090/tcp)
• unknown (9100/tcp)
• general/tcp
• general/udp
• netbios-ns (137/udp)

Information found on port ftp (21/tcp)

bonsai microsoft ftp service (version 4.0).

500 'get / http/1.0': command not understood

Information found on port ftp (21/tcp)

The FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.

Risk factor : Low
CVE : CAN-1999-0497

Information found on port smtp (25/tcp)

bonsai.fr.nessus.org ESMTP CommuniGate Pro 3.1.
214-Commands Supported:214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY STARTTLS

214-Copyright (c) 1995-1998, Stalker Software, Inc.

214-To report problems, send mail to <support@stalker.com>

214-

214 End Of Help

Information found on port smtp (25/tcp)

The remote STMP server seems to allow remote users to
send mail anonymously by providing a too long argument
to the HELO command (more than 1024 chars).

This problem may allow bad guys to send hate
mail, or threatening mail using your server
and keep their anonymity.

Risk factor : Low.

Solution : If you are using sendmail, upgrade to
version 8.9.x. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098

Information found on port smtp (25/tcp)

The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.

Risk factor : Low/Medium

Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512

Vulnerability found on port www (80/tcp)

The CGI /scripts/tools/newdsn.exe is present.

This CGI allows any cracker to create files
anywhere on your system if your NTFS permissions
are not tight enough, and can be used to overwrite
DSNs on existing dabases.

Solution : remove it
Risk factor : High
CVE : CVE-1999-0191

Vulnerability found on port www (80/tcp)

The webserver is likely vulnerable to a common IIS exploit from a hacker
called 'Rain Forest Puppy'. This exploit enables an attacker to execute _ANY_
command on the server with Administrator Privileges. The exploit is made possible
via a buffer overflow in /msadc/msadcs.dll

See BUGTRAQ ID 529 on www.securityfocus.com (http://www.securityfocus.com/bid/529)
for more information.

Risk factor : High

Vulnerability found on port www (80/tcp)

It is possible to get the source code of the remote
ASP scripts by doing the request :

GET /null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full


ASP source codes usually contain sensitive informations such
as logins and passwords.

Solution : if you need the functionnality provided by WebHits, then
install the patch available at :
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp

If you do not need this functionality, then unmap the .htw extensions
from webhits.dll using Internet Service Manager MMC snap-in.

Risk factor : Serious
CVE : CVE-2000-0097

Vulnerability found on port www (80/tcp)

The CGI /scripts/tools/mkilog.exe is present.

This CGI allows any cracker to view SQL databases
informations as to modify it.

Solution : remove it
Risk factor : Serious

Vulnerability found on port www (80/tcp)

Some of the following sample files are present :

/iissamples/issamples/fastq.idq
/iissamples/issamples/query.idq
/iissamples/exair/search/search.idq
/iissamples/exair/search/query.idq
/iissamples/issamples/oop/qsumrhit.htw?CiWebHitsFile=/iissamples/issamples/oop/qsumrhit.htw&CiRestriction=none&CiHiliteType=Full
/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/iissamples/issamples/oop/qfullhit.htw&CiRestriction=none&CiHiliteType=Full
/scripts/samples/search/author.idq
/scripts/samples/search/filesize.idq
/scripts/samples/search/filetime.idq
/scripts/samples/search/queryhit.idq
/scripts/samples/search/simple.idq
/iissamples/exair/howitworks/codebrws.asp
/iissamples/issamples/query.asp


They all contain various security flaws that allows a
cracker to execute arbitrary commands, read arbitrary files
or gain more knowledge about the remote system.

Solution : delete the whole /iissamples directory
Risk factor : High

Vulnerability found on port www (80/tcp)

The file /scripts/repost.asp is present.

This file allows users to upload files to the
/users directory if it has not been configured
properly

Solution : create /users and make sure that the
internet anonymous internet account is
only given read access to it

Risk factor : Serious

Vulnerability found on port www (80/tcp)

The file /iisadmpwd/aexp2.htr is present.

A cracker may use it in a brute force attack
to gain valid username/password.

Solution : delete it
Risk factor : Serious

Vulnerability found on port www (80/tcp)

The dll '/_vti_bin/_vti_aut/dvwssr.dll' seems to be present.

This dll contains a bug which allows anyone with
authoring web permissions on this system to alter
the files of other users.

In addition to this, this file is subject to a buffer overflow
which allows anyone to execute arbitrary commands on the
server and/or disable it

Solution : delete /_vti_bin/_vti_aut/dvwssr.dll
Risk factor : High
See also : http://www.wiretrip.net/rfp/p/doc.asp?id=45&iface=1

Vulnerability found on port www (80/tcp)

It is possible to get the source code of the remote
ASP scripts by appending ::$DATA at the end
of the request (like GET /default.asp::$DATA)


ASP source codes usually contain sensitive informations such
as logins and passwords.

Solution : install all the latest Microsoft Security Patches

Risk factor : Serious
CVE : CVE-1999-0278

Information found on port www (80/tcp)

Microsoft-IIS/4.0

Information found on port www (80/tcp)

The remote web server appears to be running with
Frontpage extensions.

You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.

Risk factor : High if your configuration file is
not well set up
CVE : CVE-1999-0386

Information found on port pop-3 (110/tcp)

CommuniGate Pro POP3 Server 3.1 ready <3.958234756@bonsai.fr.nessus.org>

Vulnerability found on port netbios-ssn (139/tcp)

. It was possible to log into the remote host using the following
login/password combinations :
'guest'/''

. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access


. The remote host defaults to guest when a user logs in using an invalid
login. For instance, we could log in using the account 'nessus/nessus'

. All the smb tests will be done as 'guest'/''

Vulnerability found on port netbios-ssn (139/tcp)

The following shares can be accessed as guest :

- NETLOGON
- A
- C
- IAS1$
- src$


Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519

Vulnerability found on port netbios-ssn (139/tcp)

. User 'guest' has NO password !
. The password of 'thibault' is 'thibault' !
. User 'MTS Trusted Impersonators' has NO password !
. User 'Cert Requesters' has NO password !
. User 'Cert Server Admins' has NO password !

Information found on port netbios-ssn (139/tcp)

The remote registry can be accessed remotely
using the login / password combination used
for the SMB tests.

Having the registry accessible to the world is
not a good thing as it gives extra knowledge to
a hacker.

Solution : filter incoming traffic to this port or set
tight login restrictions.

Risk factor : Low

Information found on port netbios-ssn (139/tcp)

The domain SID can be obtained remotely. Its value is :

INTRANET : 5-21-20333150-368275040-1648912389

An attacker can use it to obtain the list of the users of the domain
Solution : filter the ports 137 to 139
Risk factor : Low

Information found on port netbios-ssn (139/tcp)

The domain SID could be used to enumerate the names of the users
in the domain.
(we only enumerated users name whose ID is between 1000 and 1050
for performance reasons)
This gives extra knowledge to a cracker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : guest (id 501)
- BONSAI$ (id 1000)
- IUSR_BONSAI (id 1001)
- Renaud (id 1002)
- thibault (id 1003)
- MTS Trusted Impersonators (id 1005)
- IWAM_BONSAI (id 1006)
- Cert Requesters (id 1007)
- Cert Server Admins (id 1008)
- PROFWINDOWS$ (id 1009)

Risk factor : Medium
Solution : filter incoming connections to port 139

Information found on port netbios-ssn (139/tcp)

Here is the browse list of the remote host :

BONSAI -
PROF23567 - Samba Server


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Information found on port netbios-ssn (139/tcp)

Here is the list of the SMB shares of this host :

NETLOGON - Logon server share
A - disquette
C -
IPC$ - Remote IPC
IAS1$ -
src$ -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium

Information found on port unknown (554/tcp)

a web server is running on this port

Information found on port unknown (5228/tcp)

a web server is running on this port

Information found on port unknown (7070/tcp)

a web server is running on this port

Information found on port unknown (8010/tcp)

a web server is running on this port

Information found on port unknown (8010/tcp)

CommuniGatePro/3.1

Information found on port webcache (8080/tcp)

a web server is running on this port

Information found on port unknown (8100/tcp)

a web server is running on this port

Information found on port unknown (8100/tcp)

CommuniGatePro/3.1

Information found on port unknown (8570/tcp)

a web server is running on this port

Information found on port unknown (8570/tcp)

Microsoft-IIS/4.0

Information found on port general/tcp

Nmap found that this host is running Microsoft NT 4.0 Server SP5 + 2047 Hotfixes

Information found on port general/tcp

If numbers are close together, or rise by the same number all the time,
it means that the amount of traffic can be predicted by monitoring
changes in the idetification numbers (since these aren't randomized
enough).

This may help attackers with several other attacks, such as Session
Hijacking or with Session Spoofing, where in those cases the attacker
needs to predict certain charactistics of the attacked computer (such
as traffic size).

The IP Identification numbers retrieved and their relative size were:
ID: 50191
ID: 50447 relative size: 256
ID: 50703 relative size: 256
ID: 50959 relative size: 256
ID: 51215 relative size: 256
ID: 51471 relative size: 256
ID: 51727 relative size: 256
ID: 51983 relative size: 256
ID: 52239 relative size: 256
ID: 52495 relative size: 256

Information found on port general/udp

For your information, here is the traceroute to 192.168.1.8 :
192.168.1.8

Information found on port netbios-ns (137/udp)

. The following 11 NetBIOS names have been gathered :
BONSAI = This is the computer name registered for workstation services by a WINS client.
BONSAI
INTRANET = Workgroup / Domain name
INTRANET
INTRANET
BONSAI = Computer name that is registered for the messenger service on a computer that is a WINS client.
INTRANET
INTRANET

__MSBROWSE__
INet~Services
IS~BONSAI = This is the computer name registered for workstation services by a WINS client.
. The remote host has the following MAC address on its adapter :
0x00 0x80 0xad 0x90 0x23 0x14

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium