hacker report

[mahdionline]

Hi
one of my customer on my server is a hacker. he send me this report and say to me that pach the bugs. please displain me more if you can find out some subject of this report :

port domain (53/tcp)
The remote BIND 9 server, according to its version number, is vulnerable to a buffer overflow which may allow an attacker to gain a shell on this host or to disable this server.

domain (53/tcp)
The remote name server allows DNS zone transfers to be performed.This information is of great use to an attacker who may use it to gain information about the topology of your network and spot newtargets.

domain (53/tcp)
The remote name server allows recursive queries to be performed by the host running Buginsided. If this is your internal nameserver, then forget this warning. If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.asitename.com). This allows hackers to do cache poisoning attacks against this nameserver.

port domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.

port http (80/tcp)
The remote host is using the Apache mod_frontpage module.
mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow which may allow an attacker to gain root access.
* Since Buginside was not able to remotely determine the version
* of mod_frontage you are running, you are advised to manually
* check which version you are running as this might be a false
* positive.
If you want the remote server to be remotely secure, we advise you do not use this module at all.

http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.

http (80/tcp)
The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b This version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the private RSA key of the server.
An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of it, as well as impersonate your server and perform man in the middle attacks.
* Buginside solely relied on the banner of the remote host
* to issue this warning

port http (80/tcp)
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/images/ (D [A] M [A] N [D] S [A] )
Directory index found at /images/

port http (80/tcp)
The remote web server type is :
Apache/1.3.31 (Unix) mod_auth_pas-----h/---.--- mo----o-_b---s/--.--- m---_b----t-d/--.-- PHP/4.3.9 Fr------age/5.0.2.------2634a mod-----_l/-----19 Op----e/---0.----9.---

port http (80/tcp)
An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.

port imap (143/tcp)
The remote imap server banner is :
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] ns1.mainserverdomain.com IMAP4rev1 2003.339-cpanel at Wed, 13 Oct 2004 18:24:55 +0330 (IRT)
Versions and types should be omitted where possible. Change the imap banner to something generic.

port https (443/tcp)
The remote host is using the Apache mod_frontpage module.
mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow which may allow an attacker to gain root access.


https (443/tcp)
Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him their credentials.


https (443/tcp)
The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the private RSA key of the server.

An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of it, as well as impersonate your server and perform man in the middle attacks.
* Buginside solely relied on the banner of the remote host
* to issue this warning

port https (443/tcp)
An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.


smtps (465/tcp)
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack

port smtps (465/tcp)
An SMTP server is running on this port through SSL Here is its banner :
220-ns1.mainserverdomain.com ESMTP Exim 4.43 #1 Wed, 13 Oct 2004 18:24:50 +0330

port smtps (465/tcp)
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5

port smtps (465/tcp)
This TLSv1 server also accepts SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.

imaps (993/tcp)
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers.The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack

port imaps (993/tcp)
The remote imap server banner is :
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] localhost IMAP4rev1 2003.339-cpanel at Wed, 13 Oct 2004 18:24:59 +0330 (IRT)
Versions and types should be omitted where possible.Change the imap banner to something generic.

port mysql (3306/tcp)
An unknown service is running on this port. It is usually reserved for MySQL


port mysql (3306/tcp)
Remote MySQL version : 4.0.20-standard

port domain (53/udp)
A DNS server is running on this port.

port general/udp ()
It is possible to by-pass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.


port general/udp
For your information, here is the traceroute to server IP :
10.234.226.12
10.234.226.1
10.234.224.25
10.234.224.130
10.234.224.9
10.234.234.131
10.234.234.131
10.234.234.177
213.181.59.101
213.181.59.101
213.181.58.5
213.181.58.5
194.53.172.118
130.117.1.169
130.117.1.158
154.54.1.5
66.28.4.169
66.28.4.13
66.28.4.81
66.28.4.161
66.28.4.153
66.28.4.142
66.28.4.45
38.112.12.186
207.218.245.112
server ip

[mr.wonderful]

Very interesting and if you ever decided to kill this hackers account im sure he will attempt to compromise your box using any or more of the above. I sure wouldnt like to be you.

[Jasonbd]

how do you know he is a hacker? Just because he gave you this report? Its pretty easy to get a report like this. they probably did a security audit or a security scan of your server. I see these all the time at the dedicated provider i work for...

-jb

[StevenC]

Its just a nessus scan. Half of it is not accurate due to rpm version numbers / patched ports packages. Also most of it is not practical in the webhosting world becuse some of it requires you to close needed ports such as 53 for dns.

[Elikster]

I get those same reports from VISA International when they do scans to verify the server and sends those same lists thinking they are major security exploits and such when it is not the case. It is real pain dealing with them that I wound up with standard papercutter reply for those reports so I don't have to keep typing them up over and over.

Just that nessus cannot tell you the entire story if you are using various distros that releases the updates by backporting it instead of updating the version numbers, which I rather like seeing instead of same versoin with revision numbers.

[chirpy]

Yup, it's probably around 90% a load of rubbish. You can close down the BIND issues easily enough. They're certainly not vulnerabilities, just the way you have bind configured. You can get the information you need on closing that down at:
http://forums.cpanel.net/showthread.php?t=15922

The rest is rubbish, because it does not take into account the RH backported security fixes.