Administrator Report

originate timestamp: 21:07:45.0000 receive timestamp: 00:11:56.0403 round-trip time: 0 ms difference: 20:55:48.0597

Traceroute to host 192.168.160.10: > SPSERVER 192.168.160.10

Names gathered: SPSERVER WORKGROUP SPSERVER WORKGROUP WORKGROUP ..__MSBROWSE__. MAC Address: 00-01-02-A3-B9-38

HTTP server version: dart webserver tool/1.0

/images directory is listable

Traceroute to host 192.168.160.11: > 192.168.160.11 192.168.160.11

HTTP server version: Apache/1.3.19 (Unix) (Red-Hat/Linux) PHP/4.0.6

originate timestamp: 21:07:47.0000 receive timestamp: 16:12:52.0687 round-trip time: 0 ms difference: 04:54:54.0313

Traceroute to host 192.168.160.2: > 192.168.160.2 192.168.160.2

HTTP server version: Apache/1.3.11 (Unix) mod_ssl/2.5.0 OpenSSL/0.9.4

Os2 file found at location: %SystemRoot%\system32\os2ss.exe

POSIX file found at location: %SystemRoot%\system32\psxss.exe

Privilege SeTcbPrivilege granted to User: SMSCliToknAcct& of Domain: NMDK Privilege SeTcbPrivilege granted to User: SMS&_NMFORCE21 of Domain: NMDK Privilege SeTcbPrivilege granted to User: us_admin of Domain: NMDK Privilege SeTcbPrivilege granted to User: services of Domain: NMDK

entry 1: attribute: currentTime value: 20020310210815Z attribute: subschemaSubentry value: cn=Aggregate,cn=Schema,cn=Configuration,ou=NMDK,o=Neupart & Munkedal attribute: namingContexts value: ou=_ABViews_,o=Neupart & Munkedal value: cn=Configuration,ou=NMDK,o=Neupart & Munkedal value: cn=Microsoft DMD,ou=NMDK,o=Neupart & Munkedal value: ou=NMDK,o=Neupart & Munkedal value: o=Neupart & Munkedal attribute: defaultNamingContext value: o=Neupart & Munkedal attribute: supportedControl value: 1.2.840.113556.1.4.319 value: 1.2.840.113556.1.4.417 value: 1.2.840.113556.1.4.529 attribute: supportedVersion value: 3 value: 2 attribute: highestCommittedUSN value: 112890

NETLOGON E ADMIN$ IPC$ C$ D$ SMS_USA SMS_SITE PeachTree Filur connect$ SMSLOGON Address Add-ins General checkpoint tracking.log PWRCHUTE Software Resources print$ CAP_USA Internal Data

Event date:Sun Mar 10 15:59:22 2002 , ComputerName:NMFORCE21, SourceName:Dns, EventType:INFORMATION

Event date:Sun Mar 10 16:09:54 2002 , ComputerName:NMFORCE21, SourceName:Security, EventType:AUDIT_SUCCESS

Event date:Sun Mar 10 15:58:20 2002 , ComputerName:NMFORCE21, SourceName:LicenseService, EventType:WARNING

Following event written to Application Event Log: EventID=0, Source=Application

Following event written to Security Event Log: EventID=0, Source=Security

Following event written to System Event Log: EventID=0, Source=System

Privilege SeMachineAccountPrivilege granted to User: GHOST_BKR of Domain: NMDK Privilege SeMachineAccountPrivilege granted to User: sos of Domain: NMDK Privilege SeMachineAccountPrivilege granted to User: zzz-bkr of Domain: NMDK Privilege SeMachineAccountPrivilege granted to User: zzz_hd of Domain: NMDK

Privilege SeChangeNotifyPrivilege granted to User: Everyone of Domain:

internal.n-m.com. SOA alfred.internal.n-m.com. root.alfred.internal.n-m.com. internal.n-m.com. NS alfred.internal.n-m.com. internal.n-m.com. NS nmforce1.internal.n-m.com. alfred.internal.n-m.com. A 192.168.100.28 alphalab.internal.n-m.com. A 172.30.2.40 appserv.internal.n-m.com. A 192.168.160.5 auto1.internal.n-m.com. A 10.0.3.1 autoscan.internal.n-m.com. A 10.0.3.1 cvs.internal.n-m.com. A 192.168.125.72 devlab.internal.n-m.com. A 172.30.1.40 dk1-netman.internal.n-m.com. A 192.168.100.58 filur.internal.n-m.com. CNAME mercury.internal.n-m.com. firewall.internal.n-m.com. A 192.168.0.2 francedb.internal.n-m.com. A 192.168.208.14 gateway.internal.n-m.com. A 10.0.0.1 gateway-100.internal.n-m.com. A 192.168.100.1 gateway-120.internal.n-m.com. A 192.168.120.1 gateway-125.internal.n-m.com. A 192.168.125.1 gateway-150.internal.n-m.com. A 192.168.150.1 granta.internal.n-m.com. A 192.168.100.33 hp2000c.internal.n-m.com. A 10.0.0.53 hpjet.internal.n-m.com. A 10.0.0.50 hpsales.internal.n-m.com. A 10.0.0.51 inside-120.internal.n-m.com. A 192.168.120.2 inside-125.internal.n-m.com. A 192.168.125.2 inside-150.internal.n-m.com. A 192.168.150.2 intra.internal.n-m.com. A 192.168.125.71 intranet.internal.n-m.com. CNAME sun.internal.n-m.com. intranetdev.internal.n-m.com. A 192.168.160.7 intratest.internal.n-m.com. CNAME nmforce2web02.internal.n-m.com. it-cph.internal.n-m.com. A 192.168.100.31 it-support.internal.n-m.com. CNAME nmforce3web02.internal.n-m.com. lj8000dk.internal.n-m.com. A 10.0.0.52 luna.internal.n-m.com. A 192.168.100.27 mail.internal.n-m.com. CNAME mail.dmz.n-m.com. mail-cph.internal.n-m.com. CNAME mail-cph.dmz.n-m.com. mercury.internal.n-m.com. A 192.168.100.40 netman.internal.n-m.com. CNAME netman.dmz.n-m.com. netman-wc1.internal.n-m.com. CNAME netman-wc1.dmz.n-m.com. news.internal.n-m.com. CNAME alfred.internal.n-m.com. nm-exch-cph.internal.n-m.com. A 192.168.100.29 nm-ras-cph.internal.n-m.com. A 192.168.110.20 nm-terminal.internal.n-m.com. A 192.168.100.23 nm-vpn-cph.internal.n-m.com. A 192.168.105.20 nm-whats-up.internal.n-m.com. A 10.0.1.115 nmdict.internal.n-m.com. A 192.168.125.48 nmforce1.internal.n-m.com. A 192.168.100.20 nmforce2.internal.n-m.com. A 192.168.100.21 nmforce21.internal.n-m.com. A 192.168.160.3 nmforce23.internal.n-m.com. A 192.168.160.4 nmforce2web02.internal.n-m.com. A 10.0.1.151 nmforce2web03.internal.n-m.com. A 10.0.1.152 nmforce2web04.internal.n-m.com. A 10.0.1.153 nmforce2web05.internal.n-m.com. A 10.0.1.154 nmforce2web06.internal.n-m.com. A 10.0.1.155 nmforce3.internal.n-m.com. A 192.168.100.22 nmforce3web02.internal.n-m.com. A 10.0.1.156 nmforce3web03.internal.n-m.com. A 10.0.1.157 nmforce3web04.internal.n-m.com. A 10.0.1.158 nmforce3web05.internal.n-m.com. A 10.0.1.159 ns.internal.n-m.com. A 192.168.100.28 nstdb.internal.n-m.com. CNAME francedb.internal.n-m.com. ntp.internal.n-m.com. CNAME mail-cph.dmz.n-m.com. playlab.internal.n-m.com. A 172.30.1.41 pluto.internal.n-m.com. A 192.168.100.57 raiders.internal.n-m.com. A 192.168.160.6 rdadmin.internal.n-m.com. A 192.168.125.70 rdserver.internal.n-m.com. A 10.0.1.201 reportgen.internal.n-m.com. A 192.168.100.41 rob-fw-ext.internal.n-m.com. A 172.17.0.1 robert.internal.n-m.com. A 172.17.0.3 scdev.internal.n-m.com. A 10.0.3.1 securescan.internal.n-m.com. A 172.17.0.2 serouter.internal.n-m.com. A 10.0.0.40 sun.internal.n-m.com. A 192.168.100.65 supportdb.internal.n-m.com. A 172.17.0.50 swatch.internal.n-m.com. A 10.0.1.4 switch.internal.n-m.com. A 10.0.1.3 tatooine.internal.n-m.com. A 192.168.100.39 testlab.internal.n-m.com. A 172.30.0.40 trobert.internal.n-m.com. A 10.0.0.100 us1-mailgate.internal.n-m.com. CNAME us1-mailgate.dmz.n-m.com. usintranet.internal.n-m.com. CNAME intranetdev.internal.n-m.com. vig-service.internal.n-m.com. A 192.168.100.34 vigilante-dev.internal.n-m.com. A 192.168.160.8 vigilante-dev-nx.internal.n-m.com. CNAME vigilante-dev.internal.n-m.com. vigilante-dev-support.internal.n-m.com. CNAME vigilante-dev.internal.n-m.com. vigilantix.internal.n-m.com. A 10.0.1.121 w00dp3ck4z.internal.n-m.com. CNAME pluto.internal.n-m.com. web50.internal.n-m.com. A 192.168.125.50 web51.internal.n-m.com. A 192.168.125.51 web52.internal.n-m.com. A 192.168.125.52 web53.internal.n-m.com. A 192.168.125.53 web54.internal.n-m.com. A 192.168.125.54 web55.internal.n-m.com. A 192.168.125.55 web56.internal.n-m.com. A 192.168.125.56 web57.internal.n-m.com. A 192.168.125.57 web58.internal.n-m.com. A 192.168.125.58 web59.internal.n-m.com. A 192.168.125.59 web60.internal.n-m.com. A 192.168.125.60 web61.internal.n-m.com. A 192.168.125.61 web62.internal.n-m.com. A 192.168.125.62 web63.internal.n-m.com. A 192.168.125.63 web64.internal.n-m.com. A 192.168.125.64 web65.internal.n-m.com. A 192.168.125.65 web66.internal.n-m.com. A 192.168.125.66 web67.internal.n-m.com. A 192.168.125.67 web68.internal.n-m.com. A 192.168.125.68 web69.internal.n-m.com. A 192.168.125.69 webmail.internal.n-m.com. CNAME nm-exch-cph.internal.n-m.com. woodpeckers.internal.n-m.com. CNAME pluto.internal.n-m.com. www.internal.n-m.com. A 172.17.0.6 xserver.internal.n-m.com. A 192.168.125.10 internal.n-m.com. SOA alfred.internal.n-m.com. root.alfred.internal.n-m.com.

Traceroute to host 192.168.160.3: > nmforce21.internal.n-m.com 192.168.160.3

Names gathered: NMFORCE21 NMFORCE21 NMDK NMDK NMDK NMFORCE21 NMDK ..__MSBROWSE__. NMFORCE21 NMFORCE21 NMFORCE21 NMFORCE21 NMFORCE21 MAC Address: 00-50-8B-A3-77-59

Privilege SeIncreaseQuotaPrivilege granted to User: SMSCliToknAcct& of Domain: NMDK Privilege SeIncreaseQuotaPrivilege granted to User: SMS&_NMFORCE21 of Domain: NMDK Privilege SeIncreaseQuotaPrivilege granted to User: services of Domain: NMDK

Privilege SeAssignPrimaryTokenPrivilege granted to User: SMSCliToknAcct& of Domain: NMDK Privilege SeAssignPrimaryTokenPrivilege granted to User: SMS&_NMFORCE21 of Domain: NMDK Privilege SeAssignPrimaryTokenPrivilege granted to User: services of Domain: NMDK

We were able to extract the names of the following groups: Account Operators Administrators Backup Operators Guests Print Operators Replicator Server Operators Users CPH-OFFICE Datacenter rd-database-VIVA SMS Admins SQL_operators VIG-GA-SUB VIG-HR-DK VIG-IT-ADM

Maximum password age is : 999 days

Lockout duration: 0 seconds Lockout observation time: 0 seconds Invalid password authentification before lockout: 0

Transport name: \Device\NetBT_CpqNF31 Transport address: NMFORCE21 Network address: 00508ba37759 Transport name: \Device\NetBT_CpqNF31 Transport address: NMFORCE21 Network address: 00508ba37759

220 nmforce21.internal.n-m.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready

+OK Microsoft Exchange POP3 server version 5.5.2653.22 ready

* OK Microsoft Exchange IMAP4rev1 server version 5.5.2653.22 (nmforce21.internal.n-m.com) ready

Server reply to HELO Fake_Domain: 250 OK

Key with read permission for User: RESTRICTED of Domain: NT AUTHORITY

Os2 file found at location: %SystemRoot%\system32\os2ss.exe

POSIX file found at location: %SystemRoot%\system32\psxss.exe

originate timestamp: 21:07:54.0000 receive timestamp: 21:15:33.0574 round-trip time: 0 ms difference: 00:07:39.0574

IPC$ NAIEventDB ADMIN$ C$

Event date:Sun Mar 10 15:51:25 2002 , ComputerName:INTERNALNX, SourceName:TermDD, EventType:ERROR

Event date:Thu Feb 14 10:48:42 2002 , ComputerName:INTERNALNX, SourceName:Security, EventType:AUDIT_SUCCESS

Event date:Sun Mar 10 15:50:35 2002 , ComputerName:MAH2, SourceName:Application, EventType:INFORMATION

Following event written to Application Event Log: EventID=0, Source=Application

Following event written to System Event Log: EventID=0, Source=System

Privilege SeChangeNotifyPrivilege granted to User: Users of Domain: BUILTIN

Traceroute to host 192.168.161.41: > INTERNALNX 192.168.161.41

Names gathered: INTERNALNX NMDK NMDK INTERNALNX MAC Address: 00-50-DA-DD-DB-12

We were able to extract the names of the following groups: Administrators Backup Operators Guests Power Users Replicator Users NAIEvents

Password history length is : 0

Minimum password length is : 0 characters

Transport name: \Device\NetBT_Tcpip_{5096B0BB-0474-4632-B32F-8817C1491210} Transport address: INTERNALNX Network address: 0050dadddb12 Transport name: \Device\NetBT_Tcpip_{5096B0BB-0474-4632-B32F-8817C1491210} Transport address: INTERNALNX Network address: 0050dadddb12 Transport name: \Device\NetbiosSmb Transport address: INTERNALNX Network address: 000000000000 Transport name: \Device\NetbiosSmb Transport address: INTERNALNX Network address: 000000000000

Account -- Administrator -- is local Account -- Guest -- is local Account -- IUSR_VIGILANTENX -- is local Account -- IWAM_VIGILANTENX -- is local Account -- TsInternetUser -- is local

Date:	Sunday, March 10, 2002 16:21:01
User Name:	xxxxxxxxxx
Company:	xxxxxxxxxx
Session ID:	112
Session Name:	Test 1
Current Job ID:	131
Current Job Date:	March 10, 2002 4:19:31 PM

	Incorrect System Clock Vulnerability	A bad system clock can induce errors by managing your network.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info originate timestamp: 21:07:45.0000 receive timestamp: 00:11:56.0403 round-trip time: 0 ms difference: 20:55:48.0597

	NetBIOS Null Session	Outsiders can access information on the target system without authentication.
	NEW


	ICMP Timestamp Reply Vulnerability	An attacker can flood the local network with undesirable packets.
	First Reported: March 10, 2002 3:45:31 PM


	Traceroute Is Possible	Traceroute is a common command that makes it possible to quickly map a part of your network. An attacker can use this information to prepare an intrusion.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Traceroute to host 192.168.160.10: > SPSERVER 192.168.160.10

	NetBIOS Names Retrieved	An attacker can gather information on a remote system.
	First Reported: March 10, 2002 3:45:31 PM	Port: 137
		Extended Info Names gathered: SPSERVER WORKGROUP SPSERVER WORKGROUP WORKGROUP ..__MSBROWSE__. MAC Address: 00-01-02-A3-B9-38

	HTTP Available Banner Exposure	An attacker can gather information about the Web server that is running, and use it to prepare a strong attack.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80
		Extended Info HTTP server version: dart webserver tool/1.0

	HTTP Directory Listing	The configuration of the Web server does not conform to a strict "need to know" policy, which means that outside users can access more information than they need.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80
		Extended Info /images directory is listable

	discard/udp Service is Running	A remote attacker can usea simple, open and not-very-useful network service named discard/UDP to eat the network bandwidth.
	NEW	Port: 9


	ICMP Timestamp Reply Vulnerability	An attacker can flood the local network with undesirable packets.
	First Reported: March 10, 2002 3:45:31 PM


	Traceroute Is Possible	Traceroute is a common command that makes it possible to quickly map a part of your network. An attacker can use this information to prepare an intrusion.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Traceroute to host 192.168.160.11: > 192.168.160.11 192.168.160.11

	HTTP Available Banner Exposure	An attacker can gather information about the Web server that is running, and use it to prepare a strong attack.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80
		Extended Info HTTP server version: Apache/1.3.19 (Unix) (Red-Hat/Linux) PHP/4.0.6

	Red Hat Linux Apache Remote Username Enumeration Vulnerability	It is possible to know if a user exists on your host from the response returned by your web server.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80


	Apache Split-Logfile File Appending Vulnerability	An attacker can act arbitrarily on your webserver.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80

	Incorrect System Clock Vulnerability	A bad system clock can induce errors by managing your network.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info originate timestamp: 21:07:47.0000 receive timestamp: 16:12:52.0687 round-trip time: 0 ms difference: 04:54:54.0313

	Apache - HTTP Server is Outdated	The Web server running on the system is outdated. An update is recommended.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80


	Apache - HTTP Server is Outdated	The Web server running on the system is outdated. An update is recommended.
	First Reported: March 10, 2002 3:45:31 PM	Port: 443


	discard/udp Service is Running	A remote attacker can usea simple, open and not-very-useful network service named discard/UDP to eat the network bandwidth.
	NEW	Port: 9


	ICMP Timestamp Reply Vulnerability	An attacker can flood the local network with undesirable packets.
	First Reported: March 10, 2002 3:45:31 PM


	Traceroute Is Possible	Traceroute is a common command that makes it possible to quickly map a part of your network. An attacker can use this information to prepare an intrusion.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Traceroute to host 192.168.160.2: > 192.168.160.2 192.168.160.2

	HTTP Available Banner Exposure	An attacker can gather information about the Web server that is running, and use it to prepare a strong attack.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80
		Extended Info HTTP server version: Apache/1.3.11 (Unix) mod_ssl/2.5.0 OpenSSL/0.9.4

	HTTP Available Banner Exposure	An attacker can gather information about the Web server that is running, and use it to prepare a strong attack.
	First Reported: March 10, 2002 3:45:31 PM	Port: 443
		Extended Info HTTP server version: Apache/1.3.11 (Unix) mod_ssl/2.5.0 OpenSSL/0.9.4

	Apache Split-Logfile File Appending Vulnerability	An attacker can act arbitrarily on your webserver.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80


	Apache Split-Logfile File Appending Vulnerability	An attacker can act arbitrarily on your webserver.
	First Reported: March 10, 2002 3:45:31 PM	Port: 443

	Anonymous Remote Registry Access	An attacker can remotely access or change important system parameters.
	First Reported: March 10, 2002 3:45:31 PM


	OS/2 Subsystem Enabled	The OS/2 subsystem process is enabled on a Windows NT machine. An attacker could exploit this to install a backdoor with a Trojan horse.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Os2 file found at location: %SystemRoot%\system32\os2ss.exe

	NT Posix SubSystem Enabled	The Posix subsystem process is enabled on a Windows NT machine. An attacker could exploit this to install a backdoor with a Trojan horse.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info POSIX file found at location: %SystemRoot%\system32\psxss.exe

	Privilege "Act as part of the operating system" Enabled	From an unprivileged account, an attacker could use an advanced Windows NT privilege to gain administrative rights.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Privilege SeTcbPrivilege granted to User: SMSCliToknAcct& of Domain: NMDK Privilege SeTcbPrivilege granted to User: SMS&_NMFORCE21 of Domain: NMDK Privilege SeTcbPrivilege granted to User: us_admin of Domain: NMDK Privilege SeTcbPrivilege granted to User: services of Domain: NMDK

	Unsecured Registry Access	An attacker can remotely access or change important system parameters.
	First Reported: March 10, 2002 3:45:31 PM


	Microsoft Windows NT RPC Endpoint Mapper Denial of Service Vulnerability	A remote attacker can deny access to legitimate users on your vulnerable server.
	First Reported: March 10, 2002 3:45:31 PM


	LDAP Null Base	A remote attacker can access to sensitive information on your network and thus prepare further serious attacks.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info entry 1: attribute: currentTime value: 20020310210815Z attribute: subschemaSubentry value: cn=Aggregate,cn=Schema,cn=Configuration,ou=NMDK,o=Neupart & Munkedal attribute: namingContexts value: ou=_ABViews_,o=Neupart & Munkedal value: cn=Configuration,ou=NMDK,o=Neupart & Munkedal value: cn=Microsoft DMD,ou=NMDK,o=Neupart & Munkedal value: ou=NMDK,o=Neupart & Munkedal value: o=Neupart & Munkedal attribute: defaultNamingContext value: o=Neupart & Munkedal attribute: supportedControl value: 1.2.840.113556.1.4.319 value: 1.2.840.113556.1.4.417 value: 1.2.840.113556.1.4.529 attribute: supportedVersion value: 3 value: 2 attribute: highestCommittedUSN value: 112890

	AT&T VNC Service Available	A remote attacker could gain unauthorized access to your machines, instead of legit users.
	First Reported: March 10, 2002 3:45:31 PM


	Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities	A remote attacker can access to sensitive information on your vulnerable server.
	First Reported: March 10, 2002 3:45:31 PM


	SMB Share List Obtained	Windows networking resources and information can be gathered without authentication.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info NETLOGON E ADMIN$ IPC$ C$ D$ SMS_USA SMS_SITE PeachTree Filur connect$ SMSLOGON Address Add-ins General checkpoint tracking.log PWRCHUTE Software Resources print$ CAP_USA Internal Data

	NetBIOS Null Session	Outsiders can access information on the target system without authentication.
	First Reported: March 10, 2002 3:45:31 PM


	Read Access to Application Event Log	An important file logging activity can be read remotely by unauthenticated users.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Event date:Sun Mar 10 15:59:22 2002 , ComputerName:NMFORCE21, SourceName:Dns, EventType:INFORMATION

	Read Access to Security Event Log	An important system file logging activity can be read remotely by unauthenticated users.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Event date:Sun Mar 10 16:09:54 2002 , ComputerName:NMFORCE21, SourceName:Security, EventType:AUDIT_SUCCESS

	Read Access to System Event Log	An important system file logging activity can be read remotely by unauthenticated users.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Event date:Sun Mar 10 15:58:20 2002 , ComputerName:NMFORCE21, SourceName:LicenseService, EventType:WARNING

	Write Access to Application Event Log	Outsiders can tamper with an important system file.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Following event written to Application Event Log: EventID=0, Source=Application

	Write Access to Security Event Log	Outsiders can tamper with an important system file.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Following event written to Security Event Log: EventID=0, Source=Security

	Write Access to System Event Log	Outsiders can tamper with an important system file.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Following event written to System Event Log: EventID=0, Source=System

	.reg Files Associated With Regedit.exe	The unsuspecting user can be tricked into executing commands that changed sensitive configuration information. Our solution prevents this dangerous situation.
	First Reported: March 10, 2002 3:45:31 PM


	Privilege "Add workstations to the domain" Enabled	From an unprivileged account, an attacker could use a Windows NT advanced privilege to remotely add workstations and servers to the NT domain.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Privilege SeMachineAccountPrivilege granted to User: GHOST_BKR of Domain: NMDK Privilege SeMachineAccountPrivilege granted to User: sos of Domain: NMDK Privilege SeMachineAccountPrivilege granted to User: zzz-bkr of Domain: NMDK Privilege SeMachineAccountPrivilege granted to User: zzz_hd of Domain: NMDK

	Privilege "Bypass traverse checking" Enabled	In a secure installation, this privilege should not be given to ordinary users.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Privilege SeChangeNotifyPrivilege granted to User: Everyone of Domain:

	Privilege "Restore Files and Directories" Enabled	From an unprivileged account, an attacker could use a Windows NT advanced privilege named "Restore Files and Directories" to replace any file on the server.
	First Reported: March 10, 2002 3:45:31 PM


	DCOM Enabled	The DCOM function is enabled on a Windows NT machine. An attacker could exploit this to install a backdoor with a Trojan horse.
	First Reported: March 10, 2002 3:45:31 PM


	Microsoft Windows NT/2000 NetBIOS Release Vulnerability	It is possible to make your host believe its name is not used any more. Then your host will not further respond to NetBIOS messages.
	First Reported: March 10, 2002 3:45:31 PM


	NT ResetBrowser frame & HostAnnouncement flood patch not installed	These vulnerabilities could allow a malicious user to make it difficult or impossible for users on a network to locate services or other computers on the network. In the worst case, the first vulnerability also could enable the malicious user to provide bogus information to network users.
	First Reported: March 10, 2002 3:45:31 PM


	Relative Shell Path patch not installed	This vulnerability would enable a malicious user to substitute code of his choice for the normal Windows desktop on machines that he can interactively log onto. Such code would run automatically whenever a user subsequently logged onto the same machine, and could take any action the user had privileges to take on the machine.
	First Reported: March 10, 2002 3:45:31 PM


	Microsoft Windows NT 4.0 Networking Mutex DoS Vulnerability	This vulnerability allows a local user to prevent this host from communicating with the network.
	First Reported: March 10, 2002 3:45:31 PM


	Microsoft IIS 4.0/5.0 Multiple Vulnerabilities	A remote attacker can use several meanings to compromise your web server.
	First Reported: March 10, 2002 3:45:31 PM	Port: 80


	NT Terminal Server Multiple Connection Request DoS Vulnerability	A remote attacker can deny access to legitimate users on your vulnerable server.
	First Reported: March 10, 2002 3:45:31 PM


	Microsoft IE Import/Export Favorites Vulnerability	A malicious user can act arbitrarily on your vulnerable server.
	First Reported: March 10, 2002 3:45:31 PM


	DNS Zone Transfer	An attacker can use the name-to-address mapping mechanism to gather sensitive information about the internal network topology.
	First Reported: March 10, 2002 3:45:31 PM	Port: 53
		Extended Info internal.n-m.com. SOA alfred.internal.n-m.com. root.alfred.internal.n-m.com. internal.n-m.com. NS alfred.internal.n-m.com. internal.n-m.com. NS nmforce1.internal.n-m.com. alfred.internal.n-m.com. A 192.168.100.28 alphalab.internal.n-m.com. A 172.30.2.40 appserv.internal.n-m.com. A 192.168.160.5 auto1.internal.n-m.com. A 10.0.3.1 autoscan.internal.n-m.com. A 10.0.3.1 cvs.internal.n-m.com. A 192.168.125.72 devlab.internal.n-m.com. A 172.30.1.40 dk1-netman.internal.n-m.com. A 192.168.100.58 filur.internal.n-m.com. CNAME mercury.internal.n-m.com. firewall.internal.n-m.com. A 192.168.0.2 francedb.internal.n-m.com. A 192.168.208.14 gateway.internal.n-m.com. A 10.0.0.1 gateway-100.internal.n-m.com. A 192.168.100.1 gateway-120.internal.n-m.com. A 192.168.120.1 gateway-125.internal.n-m.com. A 192.168.125.1 gateway-150.internal.n-m.com. A 192.168.150.1 granta.internal.n-m.com. A 192.168.100.33 hp2000c.internal.n-m.com. A 10.0.0.53 hpjet.internal.n-m.com. A 10.0.0.50 hpsales.internal.n-m.com. A 10.0.0.51 inside-120.internal.n-m.com. A 192.168.120.2 inside-125.internal.n-m.com. A 192.168.125.2 inside-150.internal.n-m.com. A 192.168.150.2 intra.internal.n-m.com. A 192.168.125.71 intranet.internal.n-m.com. CNAME sun.internal.n-m.com. intranetdev.internal.n-m.com. A 192.168.160.7 intratest.internal.n-m.com. CNAME nmforce2web02.internal.n-m.com. it-cph.internal.n-m.com. A 192.168.100.31 it-support.internal.n-m.com. CNAME nmforce3web02.internal.n-m.com. lj8000dk.internal.n-m.com. A 10.0.0.52 luna.internal.n-m.com. A 192.168.100.27 mail.internal.n-m.com. CNAME mail.dmz.n-m.com. mail-cph.internal.n-m.com. CNAME mail-cph.dmz.n-m.com. mercury.internal.n-m.com. A 192.168.100.40 netman.internal.n-m.com. CNAME netman.dmz.n-m.com. netman-wc1.internal.n-m.com. CNAME netman-wc1.dmz.n-m.com. news.internal.n-m.com. CNAME alfred.internal.n-m.com. nm-exch-cph.internal.n-m.com. A 192.168.100.29 nm-ras-cph.internal.n-m.com. A 192.168.110.20 nm-terminal.internal.n-m.com. A 192.168.100.23 nm-vpn-cph.internal.n-m.com. A 192.168.105.20 nm-whats-up.internal.n-m.com. A 10.0.1.115 nmdict.internal.n-m.com. A 192.168.125.48 nmforce1.internal.n-m.com. A 192.168.100.20 nmforce2.internal.n-m.com. A 192.168.100.21 nmforce21.internal.n-m.com. A 192.168.160.3 nmforce23.internal.n-m.com. A 192.168.160.4 nmforce2web02.internal.n-m.com. A 10.0.1.151 nmforce2web03.internal.n-m.com. A 10.0.1.152 nmforce2web04.internal.n-m.com. A 10.0.1.153 nmforce2web05.internal.n-m.com. A 10.0.1.154 nmforce2web06.internal.n-m.com. A 10.0.1.155 nmforce3.internal.n-m.com. A 192.168.100.22 nmforce3web02.internal.n-m.com. A 10.0.1.156 nmforce3web03.internal.n-m.com. A 10.0.1.157 nmforce3web04.internal.n-m.com. A 10.0.1.158 nmforce3web05.internal.n-m.com. A 10.0.1.159 ns.internal.n-m.com. A 192.168.100.28 nstdb.internal.n-m.com. CNAME francedb.internal.n-m.com. ntp.internal.n-m.com. CNAME mail-cph.dmz.n-m.com. playlab.internal.n-m.com. A 172.30.1.41 pluto.internal.n-m.com. A 192.168.100.57 raiders.internal.n-m.com. A 192.168.160.6 rdadmin.internal.n-m.com. A 192.168.125.70 rdserver.internal.n-m.com. A 10.0.1.201 reportgen.internal.n-m.com. A 192.168.100.41 rob-fw-ext.internal.n-m.com. A 172.17.0.1 robert.internal.n-m.com. A 172.17.0.3 scdev.internal.n-m.com. A 10.0.3.1 securescan.internal.n-m.com. A 172.17.0.2 serouter.internal.n-m.com. A 10.0.0.40 sun.internal.n-m.com. A 192.168.100.65 supportdb.internal.n-m.com. A 172.17.0.50 swatch.internal.n-m.com. A 10.0.1.4 switch.internal.n-m.com. A 10.0.1.3 tatooine.internal.n-m.com. A 192.168.100.39 testlab.internal.n-m.com. A 172.30.0.40 trobert.internal.n-m.com. A 10.0.0.100 us1-mailgate.internal.n-m.com. CNAME us1-mailgate.dmz.n-m.com. usintranet.internal.n-m.com. CNAME intranetdev.internal.n-m.com. vig-service.internal.n-m.com. A 192.168.100.34 vigilante-dev.internal.n-m.com. A 192.168.160.8 vigilante-dev-nx.internal.n-m.com. CNAME vigilante-dev.internal.n-m.com. vigilante-dev-support.internal.n-m.com. CNAME vigilante-dev.internal.n-m.com. vigilantix.internal.n-m.com. A 10.0.1.121 w00dp3ck4z.internal.n-m.com. CNAME pluto.internal.n-m.com. web50.internal.n-m.com. A 192.168.125.50 web51.internal.n-m.com. A 192.168.125.51 web52.internal.n-m.com. A 192.168.125.52 web53.internal.n-m.com. A 192.168.125.53 web54.internal.n-m.com. A 192.168.125.54 web55.internal.n-m.com. A 192.168.125.55 web56.internal.n-m.com. A 192.168.125.56 web57.internal.n-m.com. A 192.168.125.57 web58.internal.n-m.com. A 192.168.125.58 web59.internal.n-m.com. A 192.168.125.59 web60.internal.n-m.com. A 192.168.125.60 web61.internal.n-m.com. A 192.168.125.61 web62.internal.n-m.com. A 192.168.125.62 web63.internal.n-m.com. A 192.168.125.63 web64.internal.n-m.com. A 192.168.125.64 web65.internal.n-m.com. A 192.168.125.65 web66.internal.n-m.com. A 192.168.125.66 web67.internal.n-m.com. A 192.168.125.67 web68.internal.n-m.com. A 192.168.125.68 web69.internal.n-m.com. A 192.168.125.69 webmail.internal.n-m.com. CNAME nm-exch-cph.internal.n-m.com. woodpeckers.internal.n-m.com. CNAME pluto.internal.n-m.com. www.internal.n-m.com. A 172.17.0.6 xserver.internal.n-m.com. A 192.168.125.10 internal.n-m.com. SOA alfred.internal.n-m.com. root.alfred.internal.n-m.com.

	DNS Server Enabled	The system runs a name-to-address mapping server. Its security must be enforced.
	First Reported: March 10, 2002 3:45:31 PM	Port: 53


	SMTP Relay is Enabled Vulnerability	Mail server accepts and relays mail from unknown sources.
	First Reported: March 10, 2002 3:45:31 PM	Port: 25


	POP3 Service Is Running Vulnerability	An unsecured network service named POP3 is running on the target system.
	First Reported: March 10, 2002 3:45:31 PM	Port: 110


	WINS Fill Log	Bad network configuration allows an outside attacker to fill a log file.
	First Reported: March 10, 2002 3:45:31 PM	Port: 42


	Traceroute Is Possible	Traceroute is a common command that makes it possible to quickly map a part of your network. An attacker can use this information to prepare an intrusion.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Traceroute to host 192.168.160.3: > nmforce21.internal.n-m.com 192.168.160.3

	NetBIOS Names Retrieved	An attacker can gather information on a remote system.
	First Reported: March 10, 2002 3:45:31 PM	Port: 137
		Extended Info Names gathered: NMFORCE21 NMFORCE21 NMDK NMDK NMDK NMFORCE21 NMDK ..__MSBROWSE__. NMFORCE21 NMFORCE21 NMFORCE21 NMFORCE21 NMFORCE21 MAC Address: 00-50-8B-A3-77-59

	Privilege "Increase Quota" Enabled	A user or group has advanced privileges to a currently unused NT function. This privilege must be disabled for all users or groups.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Privilege SeIncreaseQuotaPrivilege granted to User: SMSCliToknAcct& of Domain: NMDK Privilege SeIncreaseQuotaPrivilege granted to User: SMS&_NMFORCE21 of Domain: NMDK Privilege SeIncreaseQuotaPrivilege granted to User: services of Domain: NMDK

	Privilege "Replace Process Level Token" Enabled	From an unprivileged account, an attacker could use a Windows NT advanced privilege named "Replace Process Level Token" to gain administrator rights.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Privilege SeAssignPrimaryTokenPrivilege granted to User: SMSCliToknAcct& of Domain: NMDK Privilege SeAssignPrimaryTokenPrivilege granted to User: SMS&_NMFORCE21 of Domain: NMDK Privilege SeAssignPrimaryTokenPrivilege granted to User: services of Domain: NMDK

	Default Login Name Obtained from Registry Database	The system leaks information on local user names, making cracker's task easier.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info administrator

	NetBIOS Groups Enumerated Through Null Session	Outsiders can gather information on the target system without authentication.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info We were able to extract the names of the following groups: Account Operators Administrators Backup Operators Guests Print Operators Replicator Server Operators Users CPH-OFFICE Datacenter rd-database-VIVA SMS Admins SQL_operators VIG-GA-SUB VIG-HR-DK VIG-IT-ADM

	Minimum Password Age Incorrect Vulnerability	The value that your security policy specifies on the minimum password is shorter than 1 day.
	First Reported: March 10, 2002 3:45:31 PM


	Maximum Password Age Incorrect Vulnerability	The value that your security policy specifies on the maximum password age is longer than 42 days.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Maximum password age is : 999 days

	Password Policy Information Available	An attacker could access information of the structure containing lockout password information.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Lockout duration: 0 seconds Lockout observation time: 0 seconds Invalid password authentification before lockout: 0

	Network Transport List Available	An attacker can use information about transport protocols to prepare further attacks.
	First Reported: March 10, 2002 3:45:31 PM
		Extended Info Transport name: \Device\NetBT_CpqNF31 Transport address: NMFORCE21 Network address: 00508ba37759 Transport name: \Device\NetBT_CpqNF31 Transport address: NMFORCE21 Network address: 00508ba37759

	SMTP Available Banner Vulnerability	An attacker can gather information about the operating system and the SMTP server type running on the remote host.
	First Reported: March 10, 2002 3:45:31 PM	Port: 25
		Extended Info 220 nmforce21.internal.n-m.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready

	POP3 Server Returns Information in Banner Vulnerability	An attacker can gather information about the live operating system or the active POP3 application, to prepare a strong attack.
	First Reported: March 10, 2002 3:45:31 PM	Port: 110
		Extended Info +OK Microsoft Exchange POP3 server version 5.5.2653.22 ready

	IMAP Server Returns Information in Banner Vulnerability	The program used to give acess to users' mailboxes reveals information on the server version, which could be used to launch further attacks.
	First Reported: March 10, 2002 3:45:31 PM	Port: 143
		Extended Info * OK Microsoft Exchange IMAP4rev1 server version 5.5.2653.22 (nmforce21.internal.n-m.com) ready

	SMTP Forgery	When your SMTP server accepts any domain in the HELO command, it is possible for attackers to forge mail from your server.
	First Reported: March 10, 2002 3:45:31 PM	Port: 25
		Extended Info Server reply to HELO Fake_Domain: 250 OK