20CN网络安全小组论坛 - 菜鸟乐园 - 这个机子漏洞挺多，还是大学呢！！！

论坛: 菜鸟乐园标题: 这个机子漏洞挺多，还是大学呢！！！

作者: zz007 [zz007]

论坛用户

ip 61.242.215.66
以下是xscan扫描结果！！
主机分析: 61.242.215.66
主机地址端口/服务服务漏洞
61.242.215.66 smtp (25/tcp) 发现安全提示
61.242.215.66 https (443/tcp) 发现安全提示
61.242.215.66 netbios-ssn (139/tcp) 发现安全漏洞
61.242.215.66 www (80/tcp) 发现安全漏洞
61.242.215.66 epmap (135/tcp) 发现安全警告
61.242.215.66 microsoft-ds (445/tcp) 发现安全提示
61.242.215.66 cifs (445/tcp) 发现安全漏洞
61.242.215.66 smb (139/tcp) 发现安全提示
61.242.215.66 DCE/906b0ce0-c70b-1067-b317-00dd010662da (1025/tcp) 发现安全提示
61.242.215.66 DCE/1ff70682-0a51-30e8-076d-740be8cee98b (1026/tcp) 发现安全提示
61.242.215.66 DCE/82ad4280-036b-11cf-972c-00aa006887b0 (1028/tcp) 发现安全提示
61.242.215.66 unknown (3005/udp) 发现安全提示
61.242.215.66 netbios-ns (137/udp) 发现安全警告
61.242.215.66 tcp 发现安全提示

安全漏洞及解决方案: 61.242.215.66
类型端口/服务安全漏洞及解决方案
提示 smtp (25/tcp) A SMTP server is running on this port
Here is its banner :
220 406serve-ilvzks Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Sun, 4 Jul 2004 10:43:10 +0800
NESSUS_ID : 10330

提示 smtp (25/tcp) Remote SMTP server banner :
220 406serve-ilvzks Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Sun, 4 Jul 2004 10:45:57 +0800

This is probably: Microsoft Exchange version 5.0.2195.6713 ready at Sun, 4 Jul 2004 10:45:57 +0800

NESSUS_ID : 10263

提示 https (443/tcp) Maybe the "https" service running on this port.

NESSUS_ID : 10330

漏洞 netbios-ssn (139/tcp) NT-Server弱口令: "administrator/[空口令]", 帐户类型: 管理员(Administrator)
提示 netbios-ssn (139/tcp) Maybe the "netbios-ssn" service running on this port.

Here is its banner:
83 .
NESSUS_ID : 10330

漏洞 www (80/tcp)
The IIS server appears to have the .HTR ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that, even if you have patched this vulnerability,
you unmap the .HTR extension and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution :
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.

In addition, you may wish to download and install URLSCAN from the
Microsoft Technet Website. URLSCAN, by default, blocks all requests
for .htr files.

Risk factor : High
CVE_ID : CVE-2002-0071
BUGTRAQ_ID : 4474
NESSUS_ID : 10932
Other references : IAVA:2002-A-0002

漏洞 www (80/tcp)
The remote WebDAV server may be vulnerable to a buffer overflow when
it receives a too long request.

An attacker may use this flaw to execute arbitrary code within the
LocalSystem security context.

*** As safe checks are enabled, Nessus did not actually test for this
*** flaw, so this might be a false positive

Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
Risk Factor : High
CVE_ID : CAN-2003-0109
BUGTRAQ_ID : 7116
NESSUS_ID : 11412
Other references : IAVA:2003-A-0005

警告 www (80/tcp) CGI漏洞: http://61.242.215.66/abczxv.htw
警告 www (80/tcp) CGI漏洞: http://61.242.215.66/null.ida
警告 www (80/tcp) CGI漏洞: http://61.242.215.66/null.idq
警告 www (80/tcp) CGI漏洞: http://61.242.215.66/scripts
警告 www (80/tcp) CGI漏洞: http://61.242.215.66/scripts/samples/search/qfullhit.htw
警告 www (80/tcp) CGI漏洞: http://61.242.215.66/scripts/samples/search/qsumrhit.htw
提示 www (80/tcp) A web server is running on this port
NESSUS_ID : 10330

提示 www (80/tcp)
The following directories require authentication:
/printers
NESSUS_ID : 11032

提示 www (80/tcp) This web server was fingerprinted as MS IIS 5.0 on Win2000 SP4 or 5.1 on WinXP SP1
which is consistent with the displayed banner: Microsoft-IIS/5.0
NESSUS_ID : 11919

提示 www (80/tcp) The remote web server type is :

Microsoft-IIS/5.0

Solution : You can use urlscan to change reported server for IIS.
NESSUS_ID : 10107

警告 epmap (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
NESSUS_ID : 10736

提示 epmap (135/tcp) Maybe the "epmap" service running on this port.

NESSUS_ID : 10330

提示 microsoft-ds (445/tcp) Maybe the "microsoft-ds" service running on this port.

NESSUS_ID : 10330

漏洞 cifs (445/tcp) It was possible to log into the remote host using the following
login/password combinations :
'administrator'/''

It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

All the smb tests will be done as 'administrator'/'' in domain WORKGROUP
CVE_ID : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BUGTRAQ_ID : 494, 990
NESSUS_ID : 10394

漏洞 cifs (445/tcp) The remote Windows 2000 does not have the Service Pack 4 applied.
You should apply it to be up-to-date
Risk factor : High
Solution : go to http://www.microsoft.com/windows2000/downloads/
CVE_ID : CAN-1999-0662
BUGTRAQ_ID : 7930, 8090, 8128, 8154
NESSUS_ID : 10531

漏洞 cifs (445/tcp)
An overflow in the RAS phonebook service allows a local user
to execute code on the system with the privileges of LocalSystem.

Impact of vulnerability: Elevation of Privilege

Affected Software:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP

Recommendation: Users using any of the affected
products should install the patch immediately.

Maximum Severity Rating: Critical (locally)

See http://www.microsoft.com/technet/security/bulletin/ms02-029.mspx

Risk factor : High
CVE_ID : CVE-2002-0366
BUGTRAQ_ID : 4852
NESSUS_ID : 11029

漏洞 cifs (445/tcp)
The hotfix for the 'Malformed request to index server'
problem has not been applied.

This vulnerability can allow an attacker to execute arbitrary
code on the remote host.

Solution : See http://www.microsoft.com/technet/security/bulletin/ms01-025.mspx
Risk factor : Serious
CVE_ID : CVE-2001-0244, CVE-2001-0245
BUGTRAQ_ID : 2709
NESSUS_ID : 10668

漏洞 cifs (445/tcp)
The hotfix for the 'IrDA access violation patch'
problem has not been applied.

This vulnerability can allow an attacker who is physically
near the W2K host to shut it down using a remote control.

Solution : See http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx
Or POST SP2 Security Rollup: http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp

Risk factor : Serious
CVE_ID : CVE-2001-0659
BUGTRAQ_ID : 3215
NESSUS_ID : 10734

漏洞 cifs (445/tcp)
The remote host is vulnerable to a flaw in ntdll.dll
which may allow an attacker to gain system privileges,
by exploiting it thru, for instance, WebDAV in IIS5.0
(other services could be exploited, locally and/or remotely)

Note : On Win2000, this advisory is superceded by MS03-013

Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
Risk factor : High
CVE_ID : CAN-2003-0109
BUGTRAQ_ID : 7116
NESSUS_ID : 11413
Other references : IAVA:2003-A-0005

漏洞 cifs (445/tcp)
Authentication Flaw in Windows Debugger can Lead to Elevated
Privileges (Q320206)

Impact of vulnerability: Elevation of Privilege

Affected Software:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000

Recommendation: Users using any of the affected
products should install the patch immediately.

Maximum Severity Rating: Critical (locally)

See http://www.microsoft.com/technet/security/bulletin/ms02-024.mspx

Risk factor : High
CVE_ID : CVE-2002-0367
BUGTRAQ_ID : 4287
NESSUS_ID : 10964

警告 cifs (445/tcp)
The remote registry can be accessed remotely using the login / password
combination used for the SMB tests.

Having the registry accessible to the world is not a good thing as it gives
extra knowledge to a hacker.

Solution : Apply service pack 3 if not done already, and set the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.

In addition to this, you should consider filtering incoming packets to this
port.

Risk factor : Low
CVE_ID : CAN-1999-0562
NESSUS_ID : 10400

提示 cifs (445/tcp) A CIFS server is running on this port
NESSUS_ID : 11011

提示 cifs (445/tcp)

Nessus did not access the remote registry completely,
because this needs to be logged in as administrator.

If you want the permissions / values of all the sensitive
registry keys to be checked for, we recommend that
you fill the 'SMB Login' options in the
'Prefs.' section of the client by the administrator
login name and password.

Risk factor : None
NESSUS_ID : 10428

提示 smb (139/tcp) An SMB server is running on this port
NESSUS_ID : 11011

提示 DCE/906b0ce0-c70b-1067-b317-00dd010662da (1025/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Here is the list of DCE services running on this port:

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1025]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1025]

Solution : filter incoming traffic to this port.
Risk Factor : Low
NESSUS_ID : 10736

提示 DCE/1ff70682-0a51-30e8-076d-740be8cee98b (1026/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Here is the list of DCE services running on this port:

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1026]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1026]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1026]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1026]

Solution : filter incoming traffic to this port.
Risk Factor : Low
NESSUS_ID : 10736

提示 DCE/82ad4280-036b-11cf-972c-00aa006887b0 (1028/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Here is the list of DCE services running on this port:

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:61.242.215.66[1028]

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:192.168.3.1[1028]

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_ip_tcp:61.242.215.66[1028]

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_ip_tcp:192.168.3.1[1028]

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_ip_tcp:61.242.215.66[1028]

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_ip_tcp:192.168.3.1[1028]

Solution : filter incoming traffic to this port.
Risk Factor : Low
NESSUS_ID : 10736

提示 unknown (3005/udp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Here is the list of DCE services running on this port:

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncadg_ip_udp:61.242.215.66[3005]

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncadg_ip_udp:192.168.3.1[3005]

Solution : filter incoming traffic to this port.
Risk Factor : Low
NESSUS_ID : 10736

警告 netbios-ns (137/udp) The following 6 NetBIOS names have been gathered :
406SERVE-ILVZKS = This is the computer name registered for workstation services by a WINS client.
406SERVE-ILVZKS = Computer name
WORKGROUP = Workgroup / Domain name
INet~Services = Workgroup / Domain name (Domain Controller)
IS~6SERVE-ILVZK
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:02:b3:26:a8:e9

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE_ID : CAN-1999-0621
NESSUS_ID : 10150

提示 tcp The remote host is running Microsoft Windows 2000 Server
NESSUS_ID : 11936

地主发表时间: 04-07-04 11:16