Qualys Free Network Security Scanner : Scan Report Page 1 of 6

My FreeScan Vulnerabilities Report Print Help

For 66.240.226.179 on Feb 07, 2008

Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not
the IP you provided is exposed to any vulnerabilities. For detected vulnerabilities, a complete description of
the issue, possible consequences if exploited, and an assigned severity level are provided. Follow links to
verified remedies to fix these issues before they can be exploited.

FreeScan is just one component of QualysGuard®. To experience all of QualysGuard's vulnerability

management capabilities (both perimeter and internal) sign up for a free 7-day trial of QualysGuard. With
your trial, you will receive customized network mapping with access to an unlimited number of scans and get
comprehensive reports that include vulnerability trending, business risk assessment, risk matrixes, policy &
compliance reporting and much more.

Sign up now for your Free 7-day Trial

Email this Free Network Security Scan to a colleague.

Summary for 66.240.226.179

Vulnerabilities
1 Severity 5 (Urgent)

0 Severity 4 (Critical)

1 Severity 3 (Serious)

4 Severity 2 (Medium)

2 Severity 1 (Minimum)

8 Total

List of Vulnerabilities for 66.240.226.179

Severity Analysis
5 Writeable Root Directory on Anonymous FTP Server
3 Mail Server Accepts Plaintext Credentials
2 Anonymous Access to FTP with a Blank Password Allowed
2 Multiple Vendor ftpd PASV Mode Data Channel Hijacking Vulnerability
2 Accessible Anonymous FTP Server
2 Account Brute Force Possible Through IIS NTLM Authentication Scheme
1 Microsoft IIS Authentication Method Disclosure Vulnerability
1 ICMP Timestamp Request

Detailed Vulnerabilities for 66.240.226.179

Severity Analysis

https://freescan3.qualys.com/report.php?hemna=vEns9t1ZgoLpbRqLYbwnoWf2M0saTkjiI... 2/7/2008
Qualys Free Network Security Scanner : Scan Report Page 2 of 6

Vulnerability: Writeable Root Directory on Anonymous FTP Server

Qualys ID : 27002 CVE ID : CVE-1999-0527
Port : 21

Diagnosis: The Anonymous FTP server has a world writeable root directory. The root
directory of your anonymous FTP server can therefore be written-to by any
anonymous user.

Consequences:
Writeable anonymous FTP servers are commonly abused by unauthorized
users to upload movies, pornography, pirated software and other "warez".
Sometimes the secondary storage is completely filled up resulting in
performance degradation or even complete failure.
For some FTP servers, the FTP root directory contains configuration files.
Allowing write permissions may allow an anonymous user to overwrite these
configuration files.
In addition for UNIX, unauthorized users could place a ".forward" or an
".rhosts" file in this directory. ".forward" files may contain commands to be
executed each time the anonymous user receives an e-mail message.
".rhosts" files contain hostnames from which any user will be able to connect
to this host without a password. Thus, the unauthorized user can add
the .rhosts file using their own hostname. They can then log in with rsh, rlogin
or rexec service. These two files are commonly used to compromise servers.

5 Solution:
Disable write access for unauthorized users in the root directory of the FTP
server.
For UNIX:

$ chmod o-w path/to/ftp/root/directory

For Microsoft IIS 6:

1. Click Start, point to Administrative Tools, and then click Internet

Information Services (IIS).

2. In IIS Manager, expand the local computer, expand the FTP Sites folder,
right-click the FTP site in question, and click Properties.

3. Click the Home Directory tab and deselect the Write checkbox; click OK.

4. For advanced permissions, refer to step 2 and click Permissions instead of

Properties; then click Advanced Permissions.

For other versions of IIS, please refer to the Microsoft website.

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: Mail Server Accepts Plaintext Credentials

Qualys ID : 74147
Port : 25

Diagnosis:
Your Mail Server responds to the EHLO command which implies that it uses
the ESMTP protocol. ESMTP uses the AUTH command which indicates an
authentication mechanism to the server. If the server supports the requested
authentication mechanism, it performs an authentication protocol exchange to
authenticate and identify the user. Optionally, it also negotiates a security
layer for subsequent protocol interactions.

Your server accepts PLAIN or LOGIN as one of the AUTH parameters. The
authentication credentials are transmitted in plaintext over the network and
3
no encryption is performed.

Consequences: Malicious users could obtain mail server credentials by sniffing the traffic. This
can allow unauthorized users to use the mail server as an open mail relay. It
may also lead to compromise of account credentials that can be used to
access other mail services like POP3 and IMAP.

Solution:
Disable the plaintext authentication methods on your SMTP server for
unencrypted (non-SSL/TLS) sessions. You may consider using more advanced
challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5.

Please contact your vendor for configuration information. Also check RFC 2554
and RFC 2487 for more details.

https://freescan3.qualys.com/report.php?hemna=vEns9t1ZgoLpbRqLYbwnoWf2M0saTkjiI... 2/7/2008
Qualys Free Network Security Scanner : Scan Report Page 3 of 6

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: Anonymous Access to FTP with a Blank Password Allowed

Qualys ID : 27001 CVE ID : CVE-1999-0497
Port : 21

Diagnosis:
Users can access the FTP server using the "anonymous" or "ftp"account with a
blank password. Some FTP server software is installed with Anonymous
access enabled by default. Vulnerable systems include RedHat Linux
installations and Microsoft IIS (Internet Information Server) installations.

Consequences:
The FTP server may contain sensitive files because anonymous FTP servers
are often used to exchange files between different users. These files can be
downloaded by anybody who visits this FTP server. Anonymous FTP is often
used for "bounce attacks". Bounce attacks enable unauthorized users to scan
2 networks, hosts and ports behind a firewall. This can result in internal
networks, VPN and Intranets being compromised.

Solution:
You should first decide if you really require the FTP service on this host. If you
use it to exchange files between users, you should either use a dedicated
password-protected account, or, by default, an unreadable but writeable
directory.

The security of this last option depends on the secrecy of the filenames you
upload and download from this directory. Therefore, avoid guessable
filenames like "backup", "accounting" or "project".

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: Multiple Vendor ftpd PASV Mode Data Channel Hijacking Vulnerability
Qualys ID : 27177 CVE ID : CVE-1999-0351
Port : 21

Diagnosis:
Some FTP servers are vulnerable to hijacking of data connections when PASV
mode is in use. In particular, these FTP servers are vulnerable: the ftpd
included with Caldera Open UNIX and Unixware, and versions of RedHat prior
to Version 6.0. (This is not a complete list.)

The FTP server is transferred to FTP PASV mode, when the client issues PASV
command through the control connection made to the server (usually 21/tcp).
The server starts listening on a TCP port and responds to the client, letting it
know that it is ready for the data connection establishment. The port number
that the client is expected to connect to is included in the response to the
PASV command. An attacker can connect to the FTP server's listening port
before the client connects and thereby receive data intended for the client.

To exploit this vulnerability, the attacker must intercept or guess the listening
2 port number that the server will use, then try to connect before the client. If
the server uses some predicatble port numbers, this vulnerability is trivial to
exploit.

Caldera reported that the Open UNIX/Unixware ftpd selects predictable PASV
mode port numbers.

Note: In order to detect this vulnerability, authentication of the FTP server is

required.

Consequences: By exploiting this vulnerability, remote attackers can hijack data connections
and successfully retrieve data before the client.

Solution:
This is a generic FTP server vulnerablility, affecting all FTP servers. Apply a
patch from your vendor. For more details, see this Cert Advisory.

Contact your vendor to obtain either a patch or a not vulnerable version of the
software.

https://freescan3.qualys.com/report.php?hemna=vEns9t1ZgoLpbRqLYbwnoWf2M0saTkjiI... 2/7/2008
Qualys Free Network Security Scanner : Scan Report Page 4 of 6

Note: This vulnerability has not been completely eliminated. Preventing IP

addresses other than that of the client from connecting to data ports breaks
RFC compliance, and does not prevent attacks from the client address
(perhaps other internal hosts if NAT is in use). Data ports are now randomly
selected by the server, making them more difficult to guess before the client
connects.

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: Accessible Anonymous FTP Server

Qualys ID : 27000 CVE ID : CVE-1999-0497
Port : 21

Diagnosis: Users can access the FTP server using the "anonymous" account with any
password. Some FTP server software is installed with Anonymous access
enabled by default. Vulnerable systems include RedHat Linux installations and
Microsoft IIS (Internet Information Server) installations.

Consequences: The FTP server may contain sensitive files because anonymous FTP servers
are often used to exchange files between different users. These files can be
downloaded by anybody who visits this FTP server. Anonymous FTP is often
used for "bounce attacks". Bounce attacks enable unauthorized users to scan
networks, hosts and ports behind a firewall. This can result in internal
2 networks, VPN and Intranets being compromised.

Solution:
You should first decide if you really require the FTP service on this host. If you
use it to exchange files between users, you should either use a dedicated
password-protected account, or, by default, an unreadable but writeable
directory.

The security of this last option depends on the secrecy of the filenames you
upload and download from this directory. Therefore, avoid guessable
filenames like "backup", "accounting" or "project".

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: Account Brute Force Possible Through IIS NTLM Authentication Scheme
Qualys ID : 86693 CVE ID : CVE-2002-0419
Port : 80

Diagnosis: NTLM authentication is enabled on the Microsoft IIS Web server. This allows a
remote user to perform account brute force by requesting a non-existing HTTP
resource or an existing HTTP resource that does not actually require
authentication. Requests would include the "Authorization: NTLM" field.

Consequences:
If the host has an account lockout policy in place, a remote user may exploit
this vulnerability to lockout a local user, provided that the name of the local
user is known.

If the host does not have an account lockout policy in place, a remote user
may exploit this vulnerability to brute force user passwords.

Note that the Windows user list may sometimes be obtained by exploiting
other vulnerabilities. Windows also has a few easy-to-guess default names for
2
built-in accounts: "Administrator" for administering the computer/domain,
"Guest" for guest access, "IUSR_<MachineName>" for anonymous access to
IIS, and "IWAM_<Machinename>" for IIS to start out of process applications.
Here the machine name <Machinename> may be obtained via Windows UDP
Netbios NS (port 137).

Among the above built-in accounts, the account lockout policy, even if it is in
place, does not apply to the administrator account. So if the host uses a
default name of "Administrator" for the administrator account, the password
brute force of this account is possible through the IIS authentication interface.

In addition, if the request has the NTLMSSP_REQUEST_TARGET flag on, the

Web server may respond to the request with an NTLM challenge that contains
sensitive host information, such as the Windows server and domain in which
the authentication will be checked.

Solution:
Currently there are no vendor supplied patches available for this issue.

https://freescan3.qualys.com/report.php?hemna=vEns9t1ZgoLpbRqLYbwnoWf2M0saTkjiI... 2/7/2008
Qualys Free Network Security Scanner : Scan Report Page 5 of 6

As a workaround, disable NTLM authentication for your Web server. This can
be done by unchecking "Integrated Windows Authentication" within
"Authentication Method" under "Directory Security" in "Default Web Site
Properties".

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: Microsoft IIS Authentication Method Disclosure Vulnerability

Qualys ID : 86316 CVE ID : CVE-2002-0419
Port : 80

Diagnosis:
Microsoft IIS supports Basic and NTLM authentication. It has been reported
that the authentication methods supported by a given IIS server can be
revealed to an attacker through the inspection of returned error messages,
even when anonymous access is also granted.

When a valid authentication request is submitted (for either method) with an

invalid username and password, an error message is returned. This happens
1 even if anonymous access to the requested resource is allowed.

Consequences: If this vulnerability is successfully exploited, a malicious user can learn what
authentication method is used. This information can then be used in further
intelligent attacks against the server, or in a brute force password attack
against a known user name.

Solution: Currently there are no vendor supplied patches available.

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

Vulnerability: ICMP Timestamp Request

Qualys ID : 82003 CVE ID : CVE-1999-0524
Port : N/A

Diagnosis: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated
in IP packets. It's principal purpose is to provide a protocol layer able to
inform gateways of the inter-connectivity and accessibility of other gateways
or hosts. "ping" is a well-known program for determining if a host is up or
down. It uses ICMP echo packets. ICMP timestamp packets are used to
synchronize clocks between hosts.

Consequences: Unauthorized users can obtain information about your network by sending
ICMP timestamp packets. For example, the internal systems clock should not
be disclosed since some internal daemons use this value to calculate ID or
sequence numbers (i.e., on SunOS servers).

Solution:
1 You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at
the firewall level. Some system administrators choose to filter most types of
ICMP messages for various reasons. For example, they may want to protect
their internal hosts from ICMP-based Denial Of Service attacks, such as the
Ping of Death or Smurf attacks.

However, you should never filter ALL ICMP messages, as some of them
("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are
necessary for proper behavior of Operating System TCP/IP stacks.

It may be wiser to contact your network consultants for advice, since this
issue impacts your overall network reliability and security.

Result: Detailed result listings are provided in the Free 7-day Trial

^ back to top

https://freescan3.qualys.com/report.php?hemna=vEns9t1ZgoLpbRqLYbwnoWf2M0saTkjiI... 2/7/2008
Qualys Free Network Security Scanner : Scan Report Page 6 of 6

Copyright © 2008 Qualys, Inc. Privacy Policy

https://freescan3.qualys.com/report.php?hemna=vEns9t1ZgoLpbRqLYbwnoWf2M0saTkjiI... 2/7/2008