web服务器的一些漏洞处理

我的服务器经常被入侵
该设置的设置了 禁用服务  禁用端口  权限
我只开了俩高管账号 其他全部禁用  默认共享除了IPC$删除不了 其他全删了
IIS装了 后来把IIS服务都禁用了 现在用的阿帕奇的
但是看日志总有人通过IIS入侵我  总有通过主机名$ 访问的
下面是我用Xscan扫的结果
www (80/tcp) 开放服务

"WEB"服务运行于该端口
BANNER信息 :

HTTP/1.1 200 OK
Date: Mon, 27 Oct 2008 08:19:31 GMT
Server: Apache/2.2.4 (Win32) PHP/5.2.4
X-Powered-By: PHP/5.2.4
Set-Cookie: USR=ZoXnACdO%09%091225095571%09http%3A%2F%2F%2F
Connection: close
Content-Type: text/html
charset=gb2312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
-->
<head>
<title>??????????????? </title>
<link rel="
NESSUS_ID : 10330

提示 www (80/tcp) http TRACE 跨站攻击

你的webserver支持TRACE 和/或 TRACK 方式。 TRACE和TRACK是用来调试web服务器连接的HTTP方式。

支持该方式的服务器存在跨站脚本漏洞，通常在描述各种浏览器缺陷的时候，把"Cross-Site-Tracing"简称为XST。

攻击者可以利用此漏洞欺骗合法用户并得到他们的私人信息。

解决方案: 禁用这些方式。


如果你使用的是Apache, 在各虚拟主机的配置文件里添加如下语句:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

如果你使用的是Microsoft IIS, 使用URLScan工具禁用HTTP TRACE请求，或者只开放满足站点需求和策略的方式。

如果你使用的是Sun ONE Web Server releases 6.0 SP2 或者更高的版本, 在obj.conf文件的默认object section里添加下面的语句:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

如果你使用的是Sun ONE Web Server releases 6.0 SP2 或者更低的版本, 编译如下地址的NSAPI插件:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603


参见http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/ar ... h/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593

风险等级: 中
___________________________________________________________________


The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to
give him their credentials.


Solution :
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


See also http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BUGTRAQ_ID : 9506, 9561, 11604
NESSUS_ID : 11213

提示 www (80/tcp) 目录扫描器

该插件试图确认远程主机上存在的各普通目录
___________________________________________________________________

The following directories were discovered:
/admin, /phpMyAdmin, /shop, /member

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

NESSUS_ID : 11032
Other references : OWASP:OWASP-CM-006

提示 www (80/tcp) HTTP 服务器类型及版本

发现 HTTP 服务器的类型及版本号.

解决方案: 配置服务器经常更改名称,如:'Wintendo httpD w/Dotmatrix display'
确保移除类似 apache_pb.gif 带有 Apache 的通用标志, 可以设定 'ServerTokens Prod' 为受限
该信息来源于服务器本身的响应首部.

风险等级 : 低
___________________________________________________________________

The remote web server type is :

Apache/2.2.4 (Win32) PHP/5.2.4


Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
NESSUS_ID : 10107

提示 ftp (21/tcp) 开放服务

"FTP"服务运行于该端口.
BANNER信息 :

220 Serv-U FTP Server v7.0 ready...
NESSUS_ID : 10330

提示 ftp (21/tcp) FTP服务的版本和类型

通过登陆目标服务器并经过缓冲器接收可查出FTP服务的类型和版本。这些注册过的标识信息将给予潜在的攻击者们关于他们要攻击的系统的额外信息。版本和类型会在可能的地方被泄露。

解决方案：将这些注册过的标识信息转变为普通类别的信息。。

风险等级：低
___________________________________________________________________

Remote FTP server banner :
220 Serv-U FTP Server v7.0 ready...
NESSUS_ID : 10092

提示 Windows Terminal Services (3389/tcp) 开放服务

"Windows Terminal Services"服务可能运行于该端口.

NESSUS_ID : 10330

提示 Windows Terminal Services (3389/tcp) Windows Terminal Service Enabled


The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution : Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor : Low
BUGTRAQ_ID : 3099, 7258
NESSUS_ID : 10940

提示 unknown (1935/tcp) 开放服务

未知服务运行于该端口.

NESSUS_ID : 10330

警告 www (8080/tcp) Web Server Cross Site Scripting


The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url : http://124.42.124.131:8080/<SCRIPT>foo</SCRIPT>

Risk factor : Medium

Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
- http://www.securiteam.com/window ... _vulnerability.html
. Apache:
- http://httpd.apache.org/info/css-security/
CVE_ID : CVE-2002-1060
BUGTRAQ_ID : 5305, 7344, 7353, 8037, 9245
NESSUS_ID : 10815

警告 www (8080/tcp) Test HTTP dangerous methods

It seems that the PUT method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : High
BUGTRAQ_ID : 12141
NESSUS_ID : 10498
Other references : OWASP:OWASP-CM-001

警告 www (8080/tcp) Test HTTP dangerous methods

It seems that the DELETE method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : Medium
BUGTRAQ_ID : 12141
NESSUS_ID : 10498
Other references : OWASP:OWASP-CM-001

提示 www (8080/tcp) 开放服务

"WEB"服务运行于该端口
BANNER信息 :

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"8144-1201559974000"
Last-Modified: Mon, 28 Jan 2008 22:39:34 GMT
Content-Type: text/html
Content-Length: 8144
Date: Mon, 27 Oct 2008 08:19:41 GMT
Connection: close

<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file
NESSUS_ID : 10330

提示 www (8080/tcp) 目录扫描器

该插件试图确认远程主机上存在的各普通目录
___________________________________________________________________

The following directories were discovered:
/1, /admin, /docs

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

NESSUS_ID : 11032
Other references : OWASP:OWASP-CM-006

提示 www (8080/tcp) HTTP 服务器类型及版本

发现 HTTP 服务器的类型及版本号.

解决方案: 配置服务器经常更改名称,如:'Wintendo httpD w/Dotmatrix display'
确保移除类似 apache_pb.gif 带有 Apache 的通用标志, 可以设定 'ServerTokens Prod' 为受限
该信息来源于服务器本身的响应首部.

风险等级 : 低
___________________________________________________________________

The remote web server type is :

Apache-Coyote/1.1

and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.

NESSUS_ID : 10107

提示 www (8080/tcp) Apache UserDir Sensitive Information Disclosure

An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.


Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.

Or

2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1

Or

3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).

Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html


Risk factor : Low
CVE_ID : CAN-2001-1013
BUGTRAQ_ID : 3335
NESSUS_ID : 10766

提示 MySql (3306/tcp) 开放服务

"MySql"服务可能运行于该端口.

NESSUS_ID : 10330

警告 msrdp (3389/tcp) Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability


The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.

An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).

See Also : http://www.oxid.it/downloads/rdp-gbu.pdf
Solution : None at this time.
Risk factor : Medium
CVE_ID : CAN-2005-1794
BUGTRAQ_ID : 13818
NESSUS_ID : 18405

可能有些多 麻烦高手了 我应该如何继续设置
80 和8080断开是主站程序要用到的关不了 21 是往服务器上传文件的
3389是远程桌面的 这些都关不了 怎么设置