[4eyes] FW: [COE #69144] [UCSB-OIT #707561] Vulnerabilities Found On 128.111.28.90

Matthew Turk mturk at cs.ucsb.edu
Thu Jan 21 17:17:06 PST 2016 

We need to check a machine again: who has 128.111.28.90?

-----Original Message-----
From: Tier II Support Issues via CoE Support [mailto:help at engineering.ucsb.edu] 
Sent: Thursday, January 21, 2016 3:19 PM
To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
Subject: [COE #69144] [UCSB-OIT #707561] Vulnerabilities Found On 128.111.28.90 

The following reply has been made regarding CoE Support ticket #69144:

Hello Gentlemen,

OIT has sent us a message about a computer that is identified in the ilab as
being vulnerable to an outside network attack. If you could see about looking
into your computers over there?

On Thu Jan 21 11:53:20 2016, kasai wrote:
>
>
>
> -------- Original Message --------
> From: "E. Todd Atkins via RT" <security at ucsb.edu>
> Sent: January 21, 2016 11:24:24 AM PST
> To: eci-info at lists.engr.ucsb.edu
> Subject: [ECI-INFO] [UCSB-OIT #707561] Vulnerabilities Found On
> 128.111.28.90
>
> Greetings:
>
> Our vulnerability scanner has found a potentially vulnerable host on
> your network. You should consider taking the recommended actions
> mentioned in this report in order to reduce the chances of this
> host being abused by an attacker. If you believe any part of this
> report to be incorrect, please let us know so that we can work to
> improve our reporting accuracy.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Here is information about potential vulnerabilities that were found:
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP: 128.111.28.90
> FQDN: ilab-90.cs.ucsb.edu
> Scanned From: off-campus address
> Scan Start: Thu Jan 21 09:30:38 2016 -0800 (PST)
> Scan End: Thu Jan 21 09:30:46 2016 -0800 (PST)
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Plugin Name: Windows NetBIOS / SMB Remote Host Information Disclosure
> (10150)
>
> PLEASE NOTE: While the folks at Nessus have the risk factor for this
> set to "None," they wrote that plugin long before Distributed
> Reflective Denial of Service (DRDoS) attacks became popular. Please
> read the following publication to see why leaving common UDP based
> services open to the internet is a problem:
>
> https://www.us-cert.gov/ncas/alerts/TA14-017A
>
>
> Synopsis:
>
> It is possible to obtain the network name of the remote host.
>
> Description:
>
> The remote host is listening on UDP port 137 or TCP port 445 and
> replies to NetBIOS nbtscan or SMB requests.
>
> Note that this plugin gathers information to be used in other plugins
> but does not itself generate a report.
>
> Solution:
>
> None
>
> Risk Factor: None
>
>
> Plugin Information:
>
>
> Plugin Output:
>
> Port: 137 / udp / netbios-ns
> The following 1 NetBIOS names have been gathered :
>
> 90 = Computer name
>
> This SMB server seems to be a Samba server - its MAC address is NULL.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


--

Scott Kasai
User Support Specialist
Engineering Computing Infrastructure
University of California, Santa Barbara

More information about the Ilab-users mailing list