order ref: 111111 - amazon s3 · 2014-03-19 · 5. vulnerabilities 5.1 unambiguous vulnerability...

19 Mar 2014

For: example.com

Order Ref: 111111

Report Time Period: 01 Jan 2014 to 19 Mar 2014

Copyright © 2014 SSL247 Ltd. All rights reserved.

Phone: 0207 060 3775 | e-Mail: [email protected] | website: www.ssl247.co.uk

1. Overview

1.1 The Evolution of threats to your online business

Websites are the new battleground between malicious hackers, security professionals and online business

owners. The game has changed; malicious hackers are targeting websites in order to compromise them, steal

precious business information and employ legitimate benign websites to do their dirty work for them. Malicious

hackers are no longer focused on defacing websites, their motivation has become even more dangerous for

online business owners. Websites are now being more commonly hacked to be used as distributors of malware,

to infect millions of visitors unknowingly with viruses and malware. These kinds of attacks destroy the reputation

of more than 6,600 websites every single day. It is imperative to sit up and take notice, and employ a mechanism

which will protect your website against these kinds of devastating attacks.

1. 2 Goodbye search engine rankings: malware can render your site invisible

When your site is infected by malware, it is quarantined by search engines such as Google, Yahoo, Bing and

many others. They don’t want you infecting innocent visitors to your site. This ‘blacklisting’ will see your

hard-fought search engine rankings drop to zero overnight, leaving your investment in Search Engine

Optimisation (SEO) a complete waste. Most modern browsers will even block your site, rendering your website

invisible. If no one can see or visit your website then your business will flat-line. Not only will your revenue and

reputation take a significant – perhaps, irreparable - hit, but recovering from blacklisting is no picnic. The effects

of being blacklisted are devastating, but this time-consuming, resource-draining and costly recovery process can

be avoided all together if malware is detected and prevented in good time.

1. 3 How HackAvert® will ensure your online business' survival

HackAvert®'s advanced services can protect the reputation of your online business. HackAvert's advanced

technology constantly evolves to stay a step ahead of the malicious hackers. This report lets you take complete

control of website (before hackers do) and helps you take measures to protect your property, improve your site’s

performance, and increase your online business.



2. Your HackAvert® Subscription

Order Ref 111111

Domain www.example.com

Account Code EXAMP03

Duration 1 Year

Subscription Date 01 JAN 2014 11:26

Expiry Date 01 JAN 2015 11:26

Status Active

Automatic Cleanup Disabled

Rating Bad

Last Vulnerabilities Scan 10 MAR 2014 20:01

Last Health Monitoring Scan 06 MAR 2014 08:05



3. Reputation Monitoring

3.1 How is your website perceived on the internet?

The Reputation section provides information to answer the above questions: Is your website on any blacklist? Is

your SSL certificate expiring soon? Are any of the search engines blacklisting your website? And much more. It

is divided into two sections:

1. Ecosystem: This section shows you the results of the reputation information regarding your IP, your host,

and whether your IP is listed in Botnets or not.

2. Blacklists: This section shows you the results of checking your domain name against various data

sources such as Google malware, Google Phishing, DNS blacklists, Phishing blacklists and much more. An

alert icon indicates that a particular data source has an unfavourable perception of your domain.

3.2 How your reputation looks today (2014-03-19)

E

C

O

S

Y

S

T

E

M

SSL Status safe (Valid)

SSL Expiration safe (Mar 2 09:56:07 2016 GMT)

SSL Type good (Standard SSL Certificate)

IP Reputation safe (Botnet activity not detected)

Network Reputation poor (26 Malicious websites hosted by your ISP)

B

L

A

C

K

L

I

S

T

S

Bing safe

Google Phishing safe

Symantec safe

Clean-MX safe (0 Spam/Phishing incidents reported)

Reputation safe (Legitimate site)

Yahoo safe

SURBL Spam Blacklists safe

McAfee safe

PhishTank safe (Active Phishing activity not reported)

Google safe

SSL Ciphers safe (DHE-RSA-AES256-SHA)

SpamCop safe (Spam activity not reported)

DNS Blacklists safe

Malware URL safe (Malware activity not reported)

Malware Patrol safe (Malware activity not reported)



4. Website performances

4.1 What does it mean? Why does it matter?

Customers expect good user experience when they’re visiting your website. Slow loading pages and downtime

are a sure-fire way to test your customer’s patience and commitment to their purchases.

With HackAvert® you won’t lose transactions this way. With its Speed Monitoring function you can see how fast

your webpages are loading, so you can gauge the quality of user experience, and amend the pages that are

letting you down.

Plus, you can ensure website downtime doesn't send your customers elsewhere. HackAvert®’s Uptime

Monitoring notifies you when your site is having problems so you can rectify the situation quickly, at the expense

of the fewest customers possible.

4.2 Your uptime and speed monitoring reports

Up-time Monitoring gives you an overview of the availability of your website including details on down time. In

the event that your site went down, you should have received an email alert. Please find below the details of

your site's uptime during your selected time period. The red sector indicates the percentage of downtime your

website experienced over the duration, while the green indicates the percentage of the time your site was up.



Below you'll find the exact time(s) your website experienced downtime. By pinpointing the moment your site went

down, you can begin to understand why, and stop it happening again. Reducing downtime will increase user

experience for your visitors, so it's well worth noting.

Reported downtimes for www.example.com between 2014-01-10 00:00:00 and 2014-03-19 23:59:59:

Please find below the details of your site's speed and average response time over your selected time period.

With this information you get a greater understanding of how long it takes to access your site. This is important

to take into account when considering user experience.



5. Vulnerabilities

5.1 Unambiguous vulnerability assessment

This report shows vulnerabilities for www.example.com found between 2014-01-01 00:00:00 and

2014-03-19 23:59:59.

The standard policies of scanning, as described in Robots.txt, were respected and no attempts were made to

use brute force to gain access to restricted (login) pages. Several safety and conformance issues have been

identified and are presented in this report. To make it easier, we group vulnerabilities into: (a) server level

analysis and (b) software level analysis.

When appropriate, we associate each vulnerability that we found with the commonly-used identifier found in the

Open Source Vulnerability Database [OSVDB] and colour code them.

Risk Rating:

Critical. A vulnerability, that if exploited, can result in immediate threats to your target system and will likely

cause harmful or significant effects such as compromise of your system's confidentiality, integrity, or availability

of data and resource. It should be investigated immediately to reduce the risk of a successful attack.

Important. An important vulnerability, which may not be critical, but can still be used by a malicious hacker to

cause significant harm. It should still be investigated quickly to prevent the vulnerability becoming greater.

Informational. A vulnerability that is a low risk issue or warning and has minimal impact to your target system. If

exploited, the vulnerability won't lead to immediate data loss or system compromise. However, it should be

investigated to further minimise potential adverse effects.

In the case that we found vulnerabilities on your server and/or application during your selected time period, you'll

find a graph depicting the spread of vulnerabilities. Ranging from informational (i.e. good to know) to critical

(act-now vulnerabilities) the findings are colour-coded and should be used to prioritise amendments.



Server Vulnerabilities Application Vulnerabilities

Use the information in the graph below to chart your site's vulnerabilities and track the progress your site is

making.



5.2 Vulnerabilities summary

A total of 23 vulnerabities were found during this report period.

# Summary (6 existing vulnerabities at the end of this report period) Risk Rating Group Date Found

1 It is possible to guess the remote operating system. Important Server 2014-01-10

2 It is possible to guess the remote device type. Important Server 2014-01-10

3 Security patches are backported. Informational Server 2014-01-10

4 It was possible to obtain traceroute information. Informational Server 2014-01-10

5 It is possible to enumerate CPE names that matched on the remote\n system. Informational Server 2014-01-10

6 An FTP server is listening on this port. Informational Server 2014-01-10

# Summary (17 vulnerabities were fixed during report period) Risk Rating Group Date Fixed

7 The remote web server is prone to cross-site scripting attacks. Critical App 2014-01-10

8 SSH is configured to allow MD5 and 96-bit MAC algorithms. Important Server 2014-01-10

9 The remote web server does not return 404 error codes. Important Server 2014-01-10

10 Authentication credentials might be intercepted. Important Server 2014-01-10

11 The SSH server is configured to use Cipher Block Chaining. Important Server 2014-01-10

12 Some information about the remote HTTP configuration can be extracted. Informational Server 2014-01-10

13 An SSH server is listening on this port. Informational Server 2014-01-10


15 An SSH server is listening on this port. Informational Server 2014-01-10

16 The name of the Linux distribution running on the remote host was found\n in the banner of the web

server.

Informational Server 2014-01-10

17 It is possible to obtain the version number of the remote PHP\n install. Informational Server 2014-01-10

18 A web server is running on the remote host. Informational Server 2014-01-10


20 A SSH server is running on the remote host. Informational Server 2014-01-10

21 It was possible to resolve the name of the remote host. Informational Server 2014-01-10

22 The remote web server contains a 'robots.txt' file. Informational Server 2014-01-10

23 It is possible to obtain the version number of the remote PHP\n install. Informational Server 2014-03-06



5.3 Details regarding the still-existing vulnerabilities from the report period

5.3.1 Server level analysis

5.3.1.1 Critical vulnerabilities

No Server Critical Vulnerabilities (High Priority) were found during the requested report period.

5.3.1.2 Important vulnerabilities

Impact:

It is possible to guess the remote operating system.

First identified:

2014-01-10 16:57:09

Details: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP,

etc...), it is possible to guess the name of the remote operating

system in use. It is also sometimes possible to guess the version of

the operating system.

Plugin Output: Remote operating system :

Confidence Level : 95

Method : SSH

The remote host is running

Impact:

It is possible to guess the remote device type.

First identified:

2014-01-10 16:57:09

Details: Based on the remote operating system, it is possible to determine

what the remote system type is (eg: a printer, router, general-purpose

computer, etc).

Plugin Output: Remote device type :

Confidence level : 95

5.3.1.3 Informational notices

Impact:

Security patches are backported.

First identified:

2014-01-10 16:57:09

Details: Security patches may have been 'backported' to the remote FTP server

without changing its version number.

Banner-based checks have been disabled to avoid false positives.

Note that this test is informational only and does not denote any

security problem.

Output: Give HackAvert credentials to perform local checks.



Impact:

It was possible to obtain traceroute information.

First identified:

2014-01-10 16:57:09

Details: Makes a traceroute to the remote host.

Output: For your information, here is the traceroute from 50.56.232.140 to

188.78.110.41 :

64.192.76.142

119.159.254.246

62.142.103.73

62.7.52.87

Impact:

It is possible to enumerate CPE names that matched on the remote\n system.

First identified:

2014-01-10 16:57:09

Details: By using information obtained from a HackAvert scan, this plugin reports

CPE (Common Platform Enumeration) matches for various hardware and

software products found on a host.

Note that if an official CPE is not available for the product, this

plugin computes the best possible CPE based on the information available

from the scan.

Output: The remote operating system matched the following CPE :

cpe:

Following application CPE's matched on the remote system :

cpe:/

cpe:/

Server 2.2.22

cpe:/

Impact:

An FTP server is listening on this port.

First identified:

2014-01-10 16:57:09

Details: It is possible to obtain the banner of the remote FTP server by

connecting to the remote port.

Output: The remote FTP banner is :

5.3.2 Application level analysis


No Application Critical Vulnerabilities (High Priority) were found during the requested report period.


No Application Important Vulnerabilities (Medium Priority) were found during the requested report period.




No Application Informational Vulnerabilities (Low Priority) were found during the requested report period.



5.4 Details regarding the fixed vulnerabilities during the report period

5.4.1 Server level analysis


No Server Critical Vulnerabilities (High Priority) were found during the requested report period.


Impact:

SSH is configured to allow MD5 and 96-bit MAC algorithms.

First identified:

2014-01-10 16:57:09

Details: The SSH server is configured to allow either MD5 or 96-bit MAC

algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server and

does not check for vulnerable software versions.

Plugin Output: The following client-to-server Method Authentication Code (MAC) algorithms

are supported :

hmac-md5

hmac-sh

hmac-sh

The following server-to-client Method Authentication Code (MAC) algorithms

are supported :

hmac-

hmac-md5

hmac-sh

hmac-sh

hmac-sh

Recommendation: Contact the vendor or consult product documentation to disable MD5 and

96-bit MAC algorithms.

Impact:

The remote web server does not return 404 error codes.

First identified:

2014-01-10 16:57:09

Details: The remote web server is configured such that it does not return '404

Not Found' error codes when a nonexistent file is requested, perhaps

returning instead a site map, search page or authentication page.

HackAvert has enabled some counter measures for this. However, they

might be insufficient. If a great number of security holes are

produced for this port, they might not all be accurate.

Plugin Output: CGI scanning will be disabled for this host because the host responds

to requests for non-existent URLs with HTTP code 302

rather than 404. The requested URL was :



Impact:

Authentication credentials might be intercepted.

First identified:

2014-01-10 16:57:09

Details: The remote FTP server allows the user's name and password to be

transmitted in clear text, which could be intercepted by a network

sniffer or a man-in-the-middle attack.

Plugin Output: This FTP server does not support 'AUTH TLS'.

Other references :

Recommendation: Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS).

In the latter case, configure the server so that control connections

are encrypted.

Impact:

The SSH server is configured to use Cipher Block Chaining.

First identified:

2014-01-10 16:57:09

Details: The SSH server is configured to support Cipher Block Chaining (CBC)

encryption. This may allow an attacker to recover the plaintext message

from the ciphertext.

Note that this plugin only checks for the options of the SSH server and

does not check for vulnerable software versions.

Plugin Output: The following client-to-server Cipher Block Chaining (CBC) algorithms

are supported :

aes192-cbc

aes256-cbc

blowfish-cbc

The following server-to-client Cipher Block Chaining (CBC) algorithms

are supported :

3des-cbc

aes128-cbc

aes192-cbc

aes256-cbc

blowfish-cbc

cast128-cbc

CVE :

BID : 32319

Other references : OSVDB

Recommendation: Contact the vendor or consult product documentation to disable CBC mode

cipher encryption, and enable CTR or GCM cipher mode encryption.




Impact:

Some information about the remote HTTP configuration can be extracted.

First identified:

2014-01-10 16:57:09

Details: This test gives some information about the remote HTTP protocol - the

version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,

etc...

This test is informational only and does not denote any security

problem.

Output: Protocol version :

SSL :

Keep-Alive :

Options allowed : (Not implemented)

Headers :

Date: Fri, 10 Jan 2014 16:13:59 GMT

Server:

Expires:

Pragma: no-cache

Vary: Accept-Encoding

Keep-Alive:

Connection:

Transfer-Encoding:

Content-Type:

Impact:

An SSH server is listening on this port.

First identified:

2014-01-10 16:57:09

Details: It is possible to obtain information about the remote SSH

server by sending an empty authentication request.

Output: SSH version :

SSH supported authentication : publickey,password

Impact:


First identified:

2014-01-10 16:57:09

Details: Security patches may have been 'backported' to the remote SSH server




security problem.


Impact:

An SSH server is listening on this port.

First identified:

2014-01-10 16:57:09

Details: This script detects which algorithms and languages are supported by the

remote service for encrypting communications.

Output: HackAvert negotiated the following encryption algorithm with the server :

aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group

diffie-hellman-group1-

diffie-hellman-group

ecdh-sha2

ecdh-sha2

ecdh-sha2

The server supports the following options for server_host_key_algorithms :

ecds

ssh

ssh

The server supports the following options for

encryption_algorithms_client_to_server :



3des-cbc

aes128-cbc

aes128-ctr

aes192-cbc

aes192-ctr

aes256-cbc

aes256-ctr

arcfour

arcfour128

arcfour256

blowfish-cbc

cast128-cbc


encryption_algorithms_server_to_client :

3des-cbc

aes128-cbc

aes128-ctr

aes192-cbc

aes192-ctr

aes256-cbc

aes256-ctr

arcfour

arcfour128

arcfour256

blowfish-cbc

cast128-cbc


mac_algorithms_client_to_server :

hmac-md5

hmac-md5-96

hmac-ripemd160

hmac-sha1

hmac-sha1-96

hmac-sha2-256

hmac-sha2-256-96

hmac-sha2-512

hmac-sha2-512-96


mac_algorithms_server_to_client :

hmac-md5

hmac-md5-96

hmac-ripemd160

hmac-sha1

hmac-sha1-96

hmac-sha2-256

hmac-sha2-256-96

hmac-sha2-512

hmac-sha2-512-96


compression_algorithms_client_to_server :

none


compression_algorithms_server_to_client :

none



Impact:

The name of the Linux distribution running on the remote host was found\n in the banner of the web server.

First identified:

2014-01-10 16:57:09

Details: test extracts the banner

Output: The linux distribution detected was :

- Ubuntu 12.04 (precise)

- Ubuntu 12.10 (quantal)

- Ubuntu 13.04 (raring)

Recommendation: If you do not wish to display this information, edit httpd.conf and

set the directive 'ServerTokens Prod' and restart

Impact:

It is possible to obtain the version number of the remote PHP\n install.

First identified:

2014-01-10 16:57:09

Details: This plugin attempts to determine the version of PHP available on the

remote web server.

Output: HackAvert was able to identify the following PHP version information :

Version :

Source :

Impact:

A web server is running on the remote host.

First identified:

2014-01-10 16:57:09

Details: This plugin attempts to determine the type and the version of the

remote web server.

Output: The remote web server type is :

You can set the directive 'ServerTokens Prod' to limit the information

emanating from the server in its response headers.

Impact:


First identified:

2014-01-10 16:57:09

Details: Security patches may have been 'backported' to the remote HTTP server




security problem.


Impact:

A SSH server is running on the remote host.

First identified:

2014-01-10 16:57:09

Details: This plugin determines the versions of the SSH protocol supported by

the remote SSH daemon.

Output: The remote SSH daemon supports the following versions of the

SSH protocol :

- 1.99

- 2.0

SSHv2 host key fingerprint :

Impact:

It was possible to resolve the name of the remote host.

First identified:

2014-01-10 16:57:09

Details: HackAvert was able to resolve the FQDN of the remote host.

Output:



Impact:

The remote web server contains a 'robots.txt' file.

First identified:

2014-01-10 16:57:09

Details: The remote host contains a file named 'robots.txt' that is intended to

prevent web 'robots' from visiting certain directories in a web site for

maintenance or indexing purposes. A malicious user may also be able to

use the contents of this file to learn of sensitive documents or

directories on the affected site and either retrieve them directly or

target them for other attacks.

Output: Contents of robots.txt :

User-agent: *

Disallow:

Disallow:

Disallow:

Disallow:

Disallow:

Disallow:

Disallow:

Other references :

Recommendation: Review the contents of the site's robots.txt file, use Robots META tags

instead of entries in the robots.txt file, and/or adjust the web

server's access controls to limit access to sensitive material.

Impact:

It is possible to obtain the version number of the remote PHP\n install.

First identified:

2014-03-06 12:09:13

Details: This plugin attempts to determine the version of PHP available on the

remote web server.

Output: HackAvert was able to identify the following PHP version information :

Version :

Source :

5.4.2 Application level analysis




Impact:

The remote web server is prone to cross-site scripting attacks.

First identified:

2014-01-10 16:57:09

Details: The remote host is running a web server that fails to adequately

sanitize request strings of malicious JavaScript. By leveraging this

issue, an attacker may be able to cause arbitrary HTML and script code

to be executed in a user's browser within the security context of the

affected site.

Output: The request string used to detect this flaw was :

The output was :

HTTP/1.1 200 OK

Date: F

Server:

X-Powered-By:

Expires:

Pragma: no-cache

Vary: Accept-Encoding

Keep-Alive:

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01

<div id=header_row1>

<div id=header_row1_l>

CVE-2012-3382

BID : 5011, 5305, 7344, 7353, 8037, 14473, 17408, 54344

Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314,

OSVDB:58976, OSVDB:83683, CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74,

CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116

Recommendation: Contact the vendor for a patch or upgrade.


No Application Important Vulnerabilities (Medium Priority) were found during the requested report period.


No Application Informational Vulnerabilities (Low Priority) were found during the requested report period.



6. Disclaimer

Except as expressly stated in an agreement between you and SSL247 LTD or SSL247 SARL, all content

provided on this file is provided "as is" without warranty of any kind, either expressed or implied. SSL247 LTD

and SSL247 SARL and its suppliers and licensors disclaim all warranties, expressed or implied including, without

limitation, those of merchantability, fitness for a particular purpose and noninfringement. You are solely

responsible for the appropriateness of this file and its content offered by SSL247 LTD or SSL247 SARL for your

personal information only, and not intended to be relied upon for any action or decision. This information is

gathered through automated means and is subject to change. SSL247 LTD and SSL247 SARL do not warrant

that this file and its content meet your requirements. Subject to the terms of any agreement between you and

SSL247 LTD or SSL247 SARL, its suppliers and licensors shall not be liable for any errors, inaccuracies, or

delays in content, or for any actions taken in reliance thereon or for any direct, indirect, special, consequential,

incidental, or punitive damages, even if SSL247 LTD or SSL247 SARL, its suppliers or licensors have been

advised of the possibility of such damages. Certain state laws do not allow limitations on implied warranties or

the exclusion or limitation of certain damages. If these laws apply to you, some or all of the above disclaimers,

exclusions, or limitations may not apply to you, and you might have additional rights.



order ref: 111111 - amazon s3 · 2014-03-19 · 5. vulnerabilities 5.1 unambiguous vulnerability...

Documents