Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 0
Number of security warnings found 4


Host List
Host(s) Possible Issue
skola.no-ip.info Security warning(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
skola.no-ip.info general/tcp Security notes found
skola.no-ip.info cgms (3003/tcp) No Information
skola.no-ip.info gw (3010/tcp) No Information
skola.no-ip.info cifs (3020/tcp) No Information
skola.no-ip.info msft-gc (3268/tcp) No Information
skola.no-ip.info msft-gc-ssl (3269/tcp) Security notes found
skola.no-ip.info ms-wbt-server (3389/tcp) Security warning(s) found
skola.no-ip.info vnc-http (5800/tcp) Security warning(s) found
skola.no-ip.info vnc (5900/tcp) Security notes found
skola.no-ip.info ssh (22/tcp) Security notes found
skola.no-ip.info hosts2-ns (81/tcp) Security notes found
skola.no-ip.info blackjack (1025/tcp) No Information
skola.no-ip.info cap (1026/tcp) No Information
skola.no-ip.info unknown (1028/tcp) Security notes found
skola.no-ip.info pptp (1723/tcp) Security notes found
skola.no-ip.info domain (53/udp) Security warning(s) found
skola.no-ip.info domain (53/tcp) Security notes found
skola.no-ip.info general/udp Security notes found


Security Issues and Fixes: skola.no-ip.info
Type Port Issue and Fix
Informational general/tcp The remote host is up
Nessus ID : 10180
Informational general/tcp 193.165.105.179 resolves as skola.no-ip.info.
Nessus ID : 12053
Informational general/tcp
Remote operating system : Linux Kernel 2.4 on Debian 3.1 (sarge)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.4 on Debian 3.1 (sarge)
Nessus ID : 11936
Informational general/tcp
Synopsis :

The remote service implements TCP timestamps.

Description :

The remote host implements TCP timestamps, as defined by RFC1323.
A side effect of this feature is that the uptime of the remote
host can be sometimes be computed.

See also :

http://www.ietf.org/rfc/rfc1323.txt

Risk factor :

None
Nessus ID : 25220
Informational general/tcp Information about this scan :

Nessus version : 2.2.8 (Nessus 2.2.10 is available - consider upgrading)

Plugin feed version : 200709271215
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.2.155
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Max hosts : 20
Max checks : 4
Scan Start Date : 2007/9/28 2:44
Scan duration : 390 sec

Nessus ID : 19506
Informational msft-gc-ssl (3269/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Warning ms-wbt-server (3389/tcp)
Synopsis :

It may be possible to get access to the remote host.

Description :

The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.

An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).


Solution :

Force the use of SSL as a transport layer for this service.

See also :

http://www.oxid.it/downloads/rdp-gbu.pdf
http://www.nessus.org/u?c544b1fa

Risk factor :

Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
CVE : CVE-2005-1794
BID : 13818
Other references : OSVDB:17131
Nessus ID : 18405
Informational ms-wbt-server (3389/tcp)
Synopsis :

The remote Windows host has Terminal Services enabled.

Description :

Terminal Services allows a Windows user to remotely obtain a graphical
login (and therefore act as a local user on the remote host).

If an attacker gains a valid login and password, he may be able to use
this service to gain further access on the remote host. An attacker
may also use this service to mount a dictionary attack against the
remote host to try to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable to
Man-in-the-middle attacks, making it easy for attackers to steal the
credentials of legitimate users by impersonating the Windows server.

Solution :

Disable Terminal Services if you do not use it, and do not allow this
service to run across the Internet.

Risk factor :

None
Nessus ID : 10940
Warning vnc-http (5800/tcp)
The remote server is running VNC.
VNC permits a console to be displayed remotely.

Solution: Disable VNC access from the network by
using a firewall, or stop VNC service if not needed.

Risk factor : Medium
Nessus ID : 10758
Informational vnc-http (5800/tcp) A web server is running on this port
Nessus ID : 10330
Informational vnc-http (5800/tcp)
Synopsis :

A web server is running on the remote host.

Description :

This plugin attempts to determine the type and the version of
the remote web server.

Risk factor :

None

Plugin output :

The remote web server type is :

RealVNC/4.0

Nessus ID : 10107
Informational vnc-http (5800/tcp)
Synopsis :

Some information about the remote HTTP configuration can be extracted.

Description :

This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...

This test is informational only and does not denote any security
problem

Solution :

None.

Risk factor :

None

Plugin output :

Protocol version : HTTP/1.1
SSL : no
Pipelining : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Server: RealVNC/4.0
Date: Thu, 27 Sep 2007 22:46:33 GMT
Last-Modified: Thu, 27 Sep 2007 22:46:33 GMT
Content-Length: 240
Connection: close
Content-Type: text/html


Nessus ID : 24260
Informational vnc (5900/tcp)
Synopsis :

The remote host is running a remote display software (VNC).

Description :

The remote server is running VNC, a software which permits a console
to be displayed remotely. This allows users to control the host
remotely.

Solution :

Make sure the use of this software is done in accordance with your
corporate security policy and filter incoming traffic to this port.

Risk factor :

None

Plugin output :

The version of the VNC protocol is : RFB 004.000

Nessus ID : 10342
Informational vnc (5900/tcp) The remote VNC server supports those security types:
+ 5 (RA2)

Nessus ID : 19288
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp)
Synopsis :

An SSH server is listening on this port.

Description :

It is possible to obtain information about the remote SSH
server by sending an empty authentication request.

Risk factor :

None

Plugin output :

SSH version : SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.6
SSH supported authentication : publickey,keyboard-interactive

Nessus ID : 10267
Informational ssh (22/tcp)
Synopsis :

A SSH server is running on the remote host.

Description :

This plugin determines which versions of the SSH protocol
the remote SSH daemon supports.

Risk factor :

None

Plugin output :

The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.99
. 2.0


SSHv2 host key fingerprint : be:f5:1f:31:d7:19:59:7b:02:d8:2b:2b:ff:de:9b:5c

Nessus ID : 10881
Informational hosts2-ns (81/tcp) A web server is running on this port
Nessus ID : 10330
Informational hosts2-ns (81/tcp)
Synopsis :

A web server is running on the remote host.

Description :

This plugin attempts to determine the type and the version of
the remote web server.

Risk factor :

None

Plugin output :

The remote web server type is :

RomPager/4.07 UPnP/1.0

Nessus ID : 10107
Informational hosts2-ns (81/tcp)
Synopsis :

Some information about the remote HTTP configuration can be extracted.

Description :

This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...

This test is informational only and does not denote any security
problem

Solution :

None.

Risk factor :

None

Plugin output :

Protocol version : HTTP/1.1
SSL : no
Pipelining : no
Keep-Alive : no
Options allowed : GET, HEAD, POST, PUT
Headers :

WWW-Authenticate: Basic realm="Prestige 650R-33"
Content-Type: text/html
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0
Connection: close
EXT:


Nessus ID : 24260
Informational unknown (1028/tcp) A CIS (COM+ Internet Services) server is listening on this port
Server banner :
ncacn_http/1.0
Nessus ID : 10761
Informational pptp (1723/tcp)
Synopsis :

A VPN server is listening on the remote port.

Description :

The remote host is running a PPTP (Point-to-Point Tunneling Protocol)
server. It allows users to set up a tunnel between their host and the
network the remote host is attached to.

Make sure the use of this software is done in accordance with your
corporate security policy.

Solution :

Disable this software if you do not use it

Risk factor :

None

Plugin output :

It was possible to extract the following information from the remote PPTP server :
Firmware Version : 3790
Vendor Name : Microsoft

Nessus ID : 10622
Warning domain (53/udp)
Synopsis :

Remote DNS server is vulnerable to cache snooping attacks.

Description :

The remote DNS server answers to queries for third-party domains which
do not have the recursion bit set.

This may allow a remote attacker to determine which domains have
recently been resolved via this name server, and therefore which hosts
have been recently visited.

For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution,
they would be able to use this attack to build a statistical model
regarding company usage of aforementioned financial institution. Of
course, the attack can also be used to find B2B partners, web-surfing
patterns, external mail servers, and more...

See also :

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:

http://www.nessus.org/u?0f22a4a4

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Nessus ID : 12217
Warning domain (53/udp)
Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.


Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539
Informational domain (53/udp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Informational domain (53/udp)
Nessus was not able to reliable identify the remote DNS server type.
It might be :
ISC BIND 9.3.0
ISC BIND 9.3.1
The fingerprint differs from these known signatures on 2 points.
If you know which DNS server this host is actually running, please send this signature to
dns-signatures@nessus.org :
4q:2:5:1q:1:1q:1q:1q:1q:0X:0AAX:0X:0X:0Z0X:0X:0X:4q:4q:4q:0X:0X:2:0AAXD:
Nessus ID : 11951
Informational domain (53/tcp)
Synopsis :

It is possible to obtain the version number of the remote DNS server.

Description :

The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : ns1.skynet.cz
Other references : OSVDB:23
Nessus ID : 10028
Informational domain (53/tcp)
A DNS server is running on this port but it only
answers to UDP requests.
This means that TCP requests are blocked by a firewall.

This configuration is not RFC-compliant. Contrary to
common belief, TCP transport is not restricted to zone
transfers (AXFR) :
- answers bigger than 512 bytes are always transmitted
over TCP.
- for all other requests, UDP is only 'preferred' for
performance reasons. i.e. RFC1035 (STD0013) does not forbid
a DNS client from issuing its queries directly over TCP.

** If you are sure that your DNS server will never return
** answers bigger than 512 bytes and that the client
** software prefers UDP (which is nearly certain), you may
** disregard this message.

Read RFC1035 (STD0013) for more information.

Risk factor : None
Nessus ID : 18356
Informational general/udp For your information, here is the traceroute from 192.168.2.155 to 193.165.105.179 :
192.168.2.155
192.168.2.1
89.177.117.1
86.49.54.1
194.50.100.30
193.165.111.7
193.165.105.179

Nessus ID : 10287

This file was generated by Nessus, the open-sourced security scanner.