Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 5 - Number of security warnings found : 4 - Number of security notes found : 17 TESTED HOSTS 212.72.191.41 (Security holes found) DETAILS + 212.72.191.41 : . List of open ports : o general/udp (Security notes found) o general/icmp (Security notes found) o general/tcp (Security notes found) o unknown (824/tcp) (Security notes found) o sunrpc (111/udp) (Security notes found) o ssh (22/tcp) (Security notes found) o netsaint (5666/tcp) (Security notes found) o http (80/tcp) (Security hole found) (Security warnings found) o unknown (11211/tcp) (Security warnings found) o sunrpc (111/tcp) (Security notes found) . Information found on port general/udp For your information, here is the traceroute from 190.200.49.57 to 212.72.191.41 : 190.200.49.57 190.200.32.1 172.16.30.1 172.16.67.1 10.127.65.202 65.208.86.53 152.63.81.58 152.63.86.194 4.68.127.1 4.68.103.30 4.69.132.86 4.69.134.138 4.69.134.153 4.69.137.49 4.69.132.137 4.69.133.181 62.140.29.66 80.252.103.210 212.72.191.41 . Information found on port general/icmp Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None Plugin output : The difference between the local and remote clocks is -19 seconds. CVE : CVE-1999-0524 . Information found on port general/tcp Information about this scan : Nessus version : 4.0.0 Plugin feed version : 200905192034 Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 190.200.49.57 Port scanner(s) : nessus_tcp_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Max hosts : 20 Max checks : 4 Recv timeout : 5 Backports : Detected Scan Start Date : 2009/5/21 18:58 Scan duration : 344 sec . Information found on port general/tcp Remote operating system : Linux Kernel 2.6 on Debian 4.0 (etch) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 4.0 (etch) . Information found on port general/tcp Synopsis : The remote service implements TCP timestamps. Description : The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. See also : http://www.ietf.org/rfc/rfc1323.txt Risk factor : None . Information found on port unknown (824/tcp) Synopsis : An ONC RPC service is running on the remote host. Description : By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor : None Plugin output : The following RPC services are available on TCP port 824 : - program: 391002 (sgi_fam), version: 2 . Information found on port sunrpc (111/udp) Synopsis : An ONC RPC service is running on the remote host. Description : By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor : None Plugin output : The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 . Information found on port ssh (22/tcp) Synopsis : An SSH server is running on the remote host. Description : This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor : None Plugin output : The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 2e:1b:f7:b8:cf:38:0e:95:1e:e3:6f:ad:47:9a:6b:60 . Information found on port ssh (22/tcp) Synopsis : An SSH server is listening on this port. Description : It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor : None Plugin output : SSH version : SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 SSH supported authentication : publickey,password . Information found on port ssh (22/tcp) An SSH server is running on this port. . Information found on port netsaint (5666/tcp) The service closed the connection without sending any data. It might be protected by some sort of TCP wrapper. . Vulnerability found on port http (80/tcp) : Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.5. Such versions may be affected by various issues, including but not limited to several buffer overflows. See also : http://www.php.net/releases/5_2_5.php Solution : Upgrade to PHP version 5.2.5 or later. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2007-4887, CVE-2007-5898, CVE-2007-5900 BID : 26403 Other references : OSVDB:38680, OSVDB:38681, OSVDB:38682, OSVDB:38683, OSVDB:38684, OSVDB:38685 . Vulnerability found on port http (80/tcp) : Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.4. Such versions may be affected by various issues, including but not limited to several overflows. See also : http://www.php.net/releases/5_2_4.php Solution : Upgrade to PHP version 5.2.4 or later. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2007-2872, CVE-2007-3378, CVE-2007-3806 BID : 24661, 24261, 24922, 25498 . Vulnerability found on port http (80/tcp) : Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archives/bugtraq/2008-03/0321.html http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0103.html http://archives.neohapsis.com/archives/fulldisclosure/2008-05/0107.html http://www.php.net/releases/5_2_6.php Solution : Upgrade to PHP version 5.2.6 or later. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051 BID : 27413, 28392, 29009 Other references : OSVDB:43219, OSVDB:44057, OSVDB:44906, OSVDB:44907, OSVDB:44908, Secunia:30048 . Vulnerability found on port http (80/tcp) : Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.1. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals. See also : http://www.php.net/releases/5_2_1.php Solution : Upgrade to PHP version 5.2.1 or later. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2006-6383, CVE-2007-0905, CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-1376, CVE-2007-1380, CVE-2007-1453, CVE-2007-1700, CVE-2007-1701, CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1885, CVE-2007-1886, CVE-2007-1887, CVE-2007-1890 BID : 21508, 22496, 22805, 22806, 22862, 22922, 23119, 23120, 23219, 23233, 23234, 23235, 23236, 23237, 23238 Other references : OSVDB:32776, OSVDB:32781, OSVDB:33955, OSVDB:34767 . Vulnerability found on port http (80/tcp) : Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues : - File truncation can occur when calling 'dba_replace()' with an invalid argument. - There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658) - There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660) - Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). - A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may be triggered via a call to 'mb_check_encoding()', part of the 'mbstring' extension. (CVE-2008-5557) - Missing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restriction due to SAPI 'php_getuid()' overloading. (CVE-2008-5624) - Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting. (CVE-2008-5625) - The ZipArchive:extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names. (CVE-2008-5658) See also : http://securityreason.com/achievement_securityalert/57 http://securityreason.com/achievement_securityalert/58 http://securityreason.com/achievement_securityalert/59 http://www.sektioneins.de/advisories/SE-2008-06.txt http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html http://www.openwall.com/lists/oss-security/2008/08/08/2 http://www.openwall.com/lists/oss-security/2008/08/13/8 http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html http://bugs.php.net/bug.php?id=42862 http://bugs.php.net/bug.php?id=45151 http://bugs.php.net/bug.php?id=45722 http://www.php.net/releases/5_2_7.php http://www.php.net/ChageLog-5.php#5.2.7 Solution : Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been removed from distribution because of a regression in that version that results in the 'magic_quotes_gpc' setting remaining off even if it was set to on. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658 BID : 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948 Other references : OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690, OSVDB:47796, OSVDB:47797, OSVDB:47798 . Warning found on port http (80/tcp) Synopsis : The remote web server is susceptible to a buffer overflow vulnerability. Description : The remote web server appears to be lighttpd running with the FastCGI module (mod_fastcgi). The version of that module on the remote host appears to be affected by a buffer overflow vulnerability. By sending a specially- crafted request with a long header, a remote attacker may be able to exploit this issue to add or replace headers passed to PHP, such as SCRIPT_FILENAME, which in turn could result in arbitrary code execution. See also : http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/ http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt Solution : Either disable the FastCGI module or upgrade to lighttpd 1.4.18 or later. Risk factor : Medium / CVSS Base Score : 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE : CVE-2007-4727 BID : 25622 Other references : OSVDB:36933 . Warning found on port http (80/tcp) Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.9. Such versions may be affected by several security issues : - Background color is not correctly validated with a non true color image in function 'imagerotate()'. (CVE-2008-5498) - A denial of service condition can be triggered by trying to extract zip files that contain files with relative paths in file or directory names. - Function 'explode()' is affected by an unspecified vulnerability. - It may be possible to trigger a segfault by passing a specially crafted string to function 'json_decode()'. - Function 'xml_error_string()' is affected by a flaw which results in messages being off by one. See also : http://news.php.net/php.internals/42762 http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9 Solution : Upgrade to PHP version 5.2.9 or later. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2008-5498 BID : 33002, 33927 Other references : OSVDB:51031, Secunia:34081 . Warning found on port http (80/tcp) Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.3. Such versions may be affected by several issues, including an integer overflow, 'safe_mode' and 'open_basedir' bypass, and a denial of service vulnerability. See also : http://www.php.net/releases/5_2_3.php Solution : Upgrade to PHP version 5.2.3 or later. Risk factor : Medium / CVSS Base Score : 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.0 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.0-8+etch13 CVE : CVE-2007-1900, CVE-2007-2756, CVE-2007-2872, CVE-2007-3007 BID : 23359, 24089, 24259, 24261 Other references : OSVDB:33962, OSVDB:35788, OSVDB:36083, OSVDB:36084, OSVDB:36643 . Information found on port http (80/tcp) Synopsis : Some information about the remote HTTP configuration can be extracted. Description : This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem Risk factor : None Plugin output : Protocol version : HTTP/1.1 SSL : no Pipelining : yes Keep-Alive : no Options allowed : OPTIONS, GET, HEAD, POST Headers : Transfer-Encoding: chunked X-Powered-By: PHP/5.2.0-8+etch13 Cache-Control: no-cache, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Content-type: text/html; charset=UTF-8 Date: Thu, 21 May 2009 23:33:13 GMT Server: lighttpd/1.4.19 . Information found on port http (80/tcp) Synopsis : A web server is running on the remote host. Description : This plugin attempts to determine the type and the version of the remote web server. Risk factor : None Plugin output : The remote web server type is : lighttpd/1.4.19 . Information found on port http (80/tcp) A web server is running on this port. . Warning found on port unknown (11211/tcp) Synopsis : The remote object store suffers from a weakness that may make buffer overflows easier to exploit. Description : The version of memcached / MemcacheDB running on the remote host reveals information about the stack, heap, and shared library memory locations it uses. An unauthenticated remote attacker may be able to leverage this weakness to defeat any address space layout randomization (ASLR) protection on the remote host, thereby making buffer overflows easier to exploit. See also : http://www.positronsecurity.com/advisories/2009-001.html http://archives.neohapsis.com/archives/fulldisclosure/2009-04/0282.html http://www.nessus.org/u?7ab1e482 http://www.nessus.org/u?a97219eb Solution : If using memcached, upgrade to version 1.2.8. If using MemcacheDB, upgrade to revision r98 or later from the code repository. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the output of sending a 'stats maps' command to the remote service : ------------------------------ snip ------------------------------ 00400000-00408000 r-xp 00000000 03:01 29361415 /usr/bin/memcached 00508000-00509000 rw-p 00008000 03:01 29361415 /usr/bin/memcached 00509000-0054b000 rw-p 00509000 00:00 0 [heap] 2af0bd669000-2af0bd680000 r-xp 00000000 03:01 25166356 /lib/ld-2.3.6.so 2af0bd680000-2af0bd682000 rw-p 2af0bd680000 00:00 0 2af0bd77f000-2af0bd781000 rw-p 00016000 03:01 25166356 /lib/ld-2.3.6.so 2af0bd781000-2af0bd789000 r-xp 00000000 03:01 1103 /usr/lib/libevent-1.1a.so.1.0.2 2af0bd789000-2af0bd889000 ---p 00008000 03:01 1103 /usr/lib/libevent-1.1a.so.1.0.2 2af0bd889000-2af0bd88a000 rw-p 00008000 03:01 1103 /usr/lib/libevent-1.1a.so.1.0.2 2af0bd88a000-2af0bd9ab000 r-xp 00000000 03:01 25166443 /lib/libc-2.3.6.so 2af0bd9ab000-2af0bdaab000 ---p 00121000 03:01 25166443 /lib/libc-2.3.6.so 2af0bdaab000-2af0bdac0000 r--p 00121000 03:01 25166443 /lib/libc-2.3.6.so ------------------------------ snip ------------------------------ Note that only the first 10 lines of output are reported. CVE : CVE-2009-1255 BID : 34756 Other references : OSVDB:54127, Secunia:34915, Secunia:34932 . Information found on port unknown (11211/tcp) Synopsis : Memcached is running on this port. Description : Memcached, a memory-based object store, is listening on the remote port. See also : http://www.danga.com/memcached/ http://www.eu.socialtext.net/memcached/index.cgi http://meta.wikimedia.org/wiki/Memcached Solution : As it is biased towards performance, memcached does not provide any kind of security by itself. Make sure that the machine is properly protected by a firewall and that traffic to the port is restricted to authorized hosts. Risk factor : None Plugin output : Nessus was able to gather the following statistics from the remote memcached server : pid 1422 uptime 1509906 time 1242948652 version 1.1.12 rusage_user 60.731795 rusage_system 182.347396 curr_items 1 total_items 742 bytes 380 curr_connections 2 total_connections 7249362 connection_structures 23 cmd_get 7249349 cmd_set 742 get_hits 7248607 get_misses 742 bytes_read 101741048 bytes_written 2457287468 limit_maxbytes 67108864 . Information found on port sunrpc (111/tcp) Synopsis : An ONC RPC service is running on the remote host. Description : By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor : None Plugin output : The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 . Information found on port sunrpc (111/tcp) Synopsis : An ONC RPC portmapper is running on the remote host. Description : The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor : None ------------------------------------------------------ This file was generated by the Nessus Security Scanner