The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacker report

Discussion in 'General Discussion' started by mahdionline, Oct 17, 2004.

  1. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    Hi
    one of my customer on my server is a hacker. he send me this report and say to me that pach the bugs. please displain me more if you can find out some subject of this report :

    port domain (53/tcp)
    The remote BIND 9 server, according to its version number, is vulnerable to a buffer overflow which may allow an attacker to gain a shell on this host or to disable this server.

    domain (53/tcp)
    The remote name server allows DNS zone transfers to be performed.This information is of great use to an attacker who may use it to gain information about the topology of your network and spot newtargets.

    domain (53/tcp)
    The remote name server allows recursive queries to be performed by the host running Buginsided. If this is your internal nameserver, then forget this warning. If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.asitename.com). This allows hackers to do cache poisoning attacks against this nameserver.

    port domain (53/tcp)
    A DNS server is running on this port. If you do not use it, disable it.

    port http (80/tcp)
    The remote host is using the Apache mod_frontpage module.
    mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow which may allow an attacker to gain root access.
    * Since Buginside was not able to remotely determine the version
    * of mod_frontage you are running, you are advised to manually
    * check which version you are running as this might be a false
    * positive.
    If you want the remote server to be remotely secure, we advise you do not use this module at all.

    http (80/tcp)
    Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.

    http (80/tcp)
    The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b This version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the private RSA key of the server.
    An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of it, as well as impersonate your server and perform man in the middle attacks.
    * Buginside solely relied on the banner of the remote host
    * to issue this warning

    port http (80/tcp)
    The following CGI have been discovered :
    Syntax : cginame (arguments [default value])
    /images/ (D [A] M [A] N [D] S [A] )
    Directory index found at /images/

    port http (80/tcp)
    The remote web server type is :
    Apache/1.3.31 (Unix) mod_auth_pas-----h/---.--- mo----o-_b---s/--.--- m---_b----t-d/--.-- PHP/4.3.9 Fr------age/5.0.2.------2634a mod-----_l/-----19 Op----e/---0.----9.---

    port http (80/tcp)
    An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.

    port imap (143/tcp)
    The remote imap server banner is :
    * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] ns1.mainserverdomain.com IMAP4rev1 2003.339-cpanel at Wed, 13 Oct 2004 18:24:55 +0330 (IRT)
    Versions and types should be omitted where possible. Change the imap banner to something generic.

    port https (443/tcp)
    The remote host is using the Apache mod_frontpage module.
    mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow which may allow an attacker to gain root access.


    https (443/tcp)
    Your webserver supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers.
    An attacker may use this flaw to trick your legitimate web users to give him their credentials.


    https (443/tcp)
    The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b This version is vulnerable to a timing based attack which may
    allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the private RSA key of the server.

    An attacker may use this implementation flaw to sniff the data going to this host and decrypt some parts of it, as well as impersonate your server and perform man in the middle attacks.
    * Buginside solely relied on the banner of the remote host
    * to issue this warning

    port https (443/tcp)
    An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.


    smtps (465/tcp)
    The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack

    port smtps (465/tcp)
    An SMTP server is running on this port through SSL Here is its banner :
    220-ns1.mainserverdomain.com ESMTP Exim 4.43 #1 Wed, 13 Oct 2004 18:24:50 +0330

    port smtps (465/tcp)
    Here is the list of available SSLv2 ciphers:
    RC4-MD5
    EXP-RC4-MD5
    RC2-CBC-MD5
    EXP-RC2-CBC-MD5
    DES-CBC-MD5
    DES-CBC3-MD5
    RC4-64-MD5

    port smtps (465/tcp)
    This TLSv1 server also accepts SSLv2 connections.
    This TLSv1 server also accepts SSLv3 connections.

    imaps (993/tcp)
    The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers.The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack

    port imaps (993/tcp)
    The remote imap server banner is :
    * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] localhost IMAP4rev1 2003.339-cpanel at Wed, 13 Oct 2004 18:24:59 +0330 (IRT)
    Versions and types should be omitted where possible.Change the imap banner to something generic.

    port mysql (3306/tcp)
    An unknown service is running on this port. It is usually reserved for MySQL


    port mysql (3306/tcp)
    Remote MySQL version : 4.0.20-standard

    port domain (53/udp)
    A DNS server is running on this port.

    port general/udp ()
    It is possible to by-pass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
    An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.


    port general/udp
    For your information, here is the traceroute to server IP :
    10.234.226.12
    10.234.226.1
    10.234.224.25
    10.234.224.130
    10.234.224.9
    10.234.234.131
    10.234.234.131
    10.234.234.177
    213.181.59.101
    213.181.59.101
    213.181.58.5
    213.181.58.5
    194.53.172.118
    130.117.1.169
    130.117.1.158
    154.54.1.5
    66.28.4.169
    66.28.4.13
    66.28.4.81
    66.28.4.161
    66.28.4.153
    66.28.4.142
    66.28.4.45
    38.112.12.186
    207.218.245.112
    server ip
     
  2. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Very interesting and if you ever decided to kill this hackers account im sure he will attempt to compromise your box using any or more of the above. I sure wouldnt like to be you.
     
  3. Jasonbd

    Jasonbd Member

    Joined:
    Jan 4, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Texas
    how do you know he is a hacker? Just because he gave you this report? Its pretty easy to get a report like this. they probably did a security audit or a security scan of your server. I see these all the time at the dedicated provider i work for...

    -jb
     
  4. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Its just a nessus scan. Half of it is not accurate due to rpm version numbers / patched ports packages. Also most of it is not practical in the webhosting world becuse some of it requires you to close needed ports such as 53 for dns.
     
  5. Elikster

    Elikster Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    119
    Likes Received:
    1
    Trophy Points:
    18
    Agreed with TheLinuxGuy

    I get those same reports from VISA International when they do scans to verify the server and sends those same lists thinking they are major security exploits and such when it is not the case. It is real pain dealing with them that I wound up with standard papercutter reply for those reports so I don't have to keep typing them up over and over.

    Just that nessus cannot tell you the entire story if you are using various distros that releases the updates by backporting it instead of updating the version numbers, which I rather like seeing instead of same versoin with revision numbers.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, it's probably around 90% a load of rubbish. You can close down the BIND issues easily enough. They're certainly not vulnerabilities, just the way you have bind configured. You can get the information you need on closing that down at:
    http://forums.cpanel.net/showthread.php?t=15922

    The rest is rubbish, because it does not take into account the RH backported security fixes.
     
Loading...

Share This Page