[4eyes] FW: Vulnerabilities Found on 128.111.28.92]
Matthew Turk
mturk at cs.ucsb.edu
Fri Jan 22 10:35:02 PST 2010
The IP address of the vulnerable machine is 128.111.28.92. This is mapped to ilab-92.cs.ucsb.edu.
From: Jeff Oakes [mailto:joakes at engineering.ucsb.edu]
Sent: Wednesday, January 20, 2010 2:46 PM
To: Matthew Turk
Cc: holl at cs.ucsb.edu; joakes at engineering.ucsb.edu
Subject: Re: [Fwd: [COMS #29172] [UCSB-OIT #200325] Vulnerabilities Found on 128.111.28.92]
Matthew,
% nmap -P0 128.111.28.92
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-20 14:43 PST
Interesting ports on ilab-92.cs.ucsb.edu (128.111.28.92):
Not shown: 990 closed ports
PORT STATE SERVICE
25/tcp filtered smtp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1030/tcp open iad1
1031/tcp open iad2
1032/tcp open iad3
1433/tcp open ms-sql-s
2401/tcp open cvspserver
3389/tcp open ms-term-serv
The host is alive and most likely not patched. Patching info can be found here:
Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Thanks,
Jeff
On 1/20/10 2:40 PM, Matthew Turk wrote:
I asked around, but no one fessed up to this. Is the unpatched system still on our network? We have a lab meeting tomorrow, so I can pass along any “demands” or advice from you guys.
Matthew
From: Jeff Oakes [mailto:joakes at engineering.ucsb.edu]
Sent: Tuesday, January 19, 2010 2:49 PM
To: holl at cs.ucsb.edu
Cc: mturk at cs.ucsb.edu; joakes at engineering.ucsb.edu
Subject: Fwd: [Fwd: [COMS #29172] [UCSB-OIT #200325] Vulnerabilities Found on 128.111.28.92]
All,
any resolution here?
Thanks,
Jeff
-------- Original Message --------
Subject:
[Fwd: [COMS #29172] [UCSB-OIT #200325] Vulnerabilities Found on 128.111.28.92]
Date:
Thu, 17 Dec 2009 11:28:58 -0800
From:
Jeff Oakes <mailto:joakes at engineering.ucsb.edu> <joakes at engineering.ucsb.edu>
To:
Tobias Hollerer <mailto:holl at cs.ucsb.edu> <holl at cs.ucsb.edu>
CC:
Matthew Turk <mailto:mturk at cs.ucsb.edu> <mturk at cs.ucsb.edu>, "joakes >> Jeff Oakes" <mailto:joakes at engineering.ucsb.edu> <joakes at engineering.ucsb.edu>
Tobias and Matthew,
could you please get in touch with the user on ilab-92.cs.ucsb.edu and
have them patch this vulnerability? Also, you may want to address the
fact that your wiki:
http://majuro.cs.ucsb.edu/wiki/index.php/Systems_Info
is world readable and contains information that you may not want the
world to have access to (such as passwords!).
Thanks,
Jeff
-------- Original Message --------
Subject: [COMS #29172] [UCSB-OIT #200325] Vulnerabilities Found on
128.111.28.92
Date: Wed, 16 Dec 2009 11:11:08 -0800
From: vsc at oit.ucsb.edu via CS Support <mailto:support at cs.ucsb.edu> <support at cs.ucsb.edu>
Reply-To: support at cs.ucsb.edu
References: <mailto:RT-Ticket-29172 at cs.ucsb.edu> <RT-Ticket-29172 at cs.ucsb.edu>
<mailto:RT-Ticket-200325 at oit.ucsb.edu> <RT-Ticket-200325 at oit.ucsb.edu>
<mailto:rt-3.8.1-9170-1260990658-57.200325-6-0 at oit.ucsb.edu> <rt-3.8.1-9170-1260990658-57.200325-6-0 at oit.ucsb.edu>
Wed Dec 16 11:11:08 2009: Request 29172 was acted upon.
Transaction: Ticket created by vsc at oit.ucsb.edu
Queue: General
Subject: [UCSB-OIT #200325] Vulnerabilities Found on 128.111.28.92
Owner: Nobody
Requestors: vsc at oit.ucsb.edu
Status: new
Ticket <URL: https://rt.cs.ucsb.edu/Ticket/Display.html?id=29172 >
Greetings:
Our vulnerability scanner has found vulnerable hosts on your network.
I highly recommend taking the recommended actions mentioned in this
report in order to reduce the chances of this host becoming compromised.
If you believe any part of this report to be false, please let me know
so that we can work to improve our reporting accuracy.
Here are the relevant parts of the report:
----------------------------------------
IP Address: 128.111.28.92
Scanned on Dec 12, 2009 at 02:08
----------------------------------------
Nessus Plugin ID: 35362
Port Info: microsoft-ds (445/tcp)
Synopsis :
It is possible to crash the remote host due to a flaw in SMB.
Description :
The remote host is vulnerable to memory corruption vulnerability in
SMB which may allow an attacker to execute arbitrary code or perform a
denial of service against the remote host.
Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
BID : 31179, 33121, 33122
Other references : OSVDB:48153, OSVDB:52691, OSVDB:52692
----------------------------------------
Nessus Plugin ID: 34477
Port Info: general/tcp
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
'Server' service.
Description :
The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the
remote host with the 'System' privileges.
Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2008-4250
BID : 31874
Other references : OSVDB:49243
--
E. Todd Atkins
Network Security Coordinator
Office of Information Technology
University of California, Santa Barbara
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I encourage you to use our Nessus scanner to periodically
scan your hosts. You can schedule scans at
http://vsc.oit.ucsb.edu
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/ilab-users/attachments/20100122/40de5b7f/attachment.html>
More information about the Ilab-users
mailing list