Detailed Listing

Print Date: 02/20/2006 Page 1 of 6 Detailed Listing

Scanner Version: 5.40 Update: 16 Scan Description: 2006-02-20_10-45_VPM_1_55113 Configuration File: Advisory Unknown service: Array Configuration Utility Unknown service: CA BrightStor Universal Agent Unknown service: HP Power Manager 3.1 Unknown service: PassGo SLP Service Agent Unknown service: HP ITO Agent Unknown service: eTrust Antivirus RPC Server Unknown service: eTrust Antivirus Realtime Server Unknown service: eTrust Antivirus Job Server Unknown service: PassGo Access Control Agent Unknown service: CA Backup Agent for Open Files Known service: Application Experience Lookup Service Known service: Application Management Known service: Windows Audio Known service: Computer Browser Known service: CA BrightStor Discovery Service Known service: HP Insight NIC Agent Known service: HP ProLiant Remote Monitor Service Known service: HP Version Control Agent Known service: HP Insight Foundation Agents Known service: HP Insight Server Agents Known service: HP Insight Storage Agents Known service: Cryptographic Services Known service: DCOM Server Process Launcher Known service: Distributed File System Known service: DHCP Client Known service: DHCP Server Known service: Logical Disk Manager Known service: DNS Server Known service: DNS Client Known service: Error Reporting Service Known service: Event Log Known service: COM+ Event System Known service: Help and Support Known service: Intersite Messaging Known service: Kerberos Key Distribution Center Known service: Server Known service: Workstation Known service: TCP/IP NetBIOS Helper Known service: Event Log Watch Known service: Distributed Transaction Coordinator Known service: Net Logon Known service: Network Connections Known service: Network Location Awareness (NLA) Known service: File Replication Service Known service: Plug and Play Known service: IPSEC Services Known service: Protected Storage Known service: Radia Notify Daemon Known service: Radia Scheduler Daemon Known service: Radia MSI Redirector Known service: Remote Access Connection Manager Known service: Remote Registry Known service: Radia Management Agent Known service: Remote Procedure Call (RPC)

Print Date: 02/20/2006 Page 2 of 6 Detailed Listing

Scanner Version: 5.40 Update: 16 Scan Description: 2006-02-20_10-45_VPM_1_55113 Configuration File: Advisory

Known service: Wireless Configuration

Description Solution Intruders could potentially implant services which run with system Disable the service if not needed: level permissions. Malicious services can be used to install backdoors, cause denial of service, or provide unauthorized Click on Start | Settings | Control Panel | Administrative Tools | network access to the system Services. Identify if the service running belongs on your system. If it is not needed, double click on the service and select "Disabled" and click on "OK."

You may also use the instsrv tool from the Windows NT Resource Kit to remove an unwanted service. The command is "instsrv [service name] remove" and press .

Note: Unknown services may contain third party applications.

To add a valid service, edit the services.txt file in the \Program files\Stat Scanner directory. You can also open STAT Scanner and click on Edit | Options | Advanced | Edit Services List. You now can add or remove a service from the services list.

Print Date: 02/20/2006 Page 3 of 6 Detailed Listing

Scanner Version: 5.40 Update: 16 Scan Description: 2006-02-20_10-45_VPM_1_55113 Configuration File: Advisory Machine Info: cs-adc-d01 OS: W2K3S Assessed: Yes Address: 10.65.11.50 ? ID: W0827 Risk: Warning Name: Ports - Windows Specific Info Suspect port / threat(s): 7 / echo ( GET / HTTP/1.1 ) 9 / discard 13 / daytime 17 / qotd 19 / chargen ( !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg ) 53 / domain, dns 88 / kerberos 135 / epmap, location service, rpc 139 / netbios-ssn, NetBIOS Session Service ( ƒ ) 381 / hp-collector ( HTTP/1.1 404 Not Found ) 383 / hp-alarm-mgr ( HTTP/1.1 404 Not Found ) 389 / ldap 427 / svrloc 445 / microsoft-ds, Microsoft Directory Services 464 / kpasswd, Kerberos v5 511 / passgo, T0rn Rootkit 593 / http-rpc-epmap ( ncacn_http/1.0 ) 636 / ldaps, LDAP over SSL 1025 / listener, IIS, NFS, blackjack 1030 / iad1 ( ncacn_http/1.0 ) 1103 / xaudio 1438 / eicon-server 2301 / HP Insight WEB Agent (http) ( HTTP/1.1 400 Bad Request ) 2381 / HP Insight WEB Agent (https) ( ) 3268 / Global Catalog LDAP 3269 / Global Catalog LDAP over SSL 3389 / ms-term-serv 6050 / arcserve 49400 / HP Insight WEB Agent (internal use)

Print Date: 02/20/2006 Page 4 of 6 Detailed Listing

Scanner Version: 5.40 Update: 16 Scan Description: 2006-02-20_10-45_VPM_1_55113 Configuration File: Advisory Description Solution TCP and UDP use port numbers to identify higher-layer services. Run an anti-virus program with the most recent update signature. Both well-known and potentially malicious ports were scanned by Check your system services. STAT Scanner. Existing Trojan horses and backdoor programs use certain ports for remote access. The lower ports are often used by Trojans that steal passwords and either mail the passwords to Investigate all ports and services to determine whether they are attackers or hide them in directories. The higher ports are often legitimate or not. If the port scan is showing a legitimate port (e.g., 23 - used by Remote Access Trojans that can be reached over the telnet), go to Edit | Options | Advanced and click on Edit Bad Ports List network. If you find portmapper probes directed against ports to remove any port check. This will filter out the particular port during normally not used, it may be someone trying to connect to a the port scan and this port will not show up in the Specific Info or any Trojan horse inside your network. The default scan shows all TCP of the STAT Scanner reports. You can also add or remove port ports open. The ports scanned are listed in the malports.txt file numbers in the malports_custom.txt file in the \Program located in the \Program Files\STAT\Scanner folder. Files\STAT\Scanner folder.

To check for all open ports, type "netstat -a" from the command line.

Determine whether or not there has been a compromise. If there has, take steps to recover and re-secure your network.

Disable any service that the system is not using because any open service or port offers attackers a possible entry into your system.

For Windows XP, SP2, run the "netstat -anob" command to get the process ID (PID) and service being used by the port.

Print Date: 02/20/2006 Page 5 of 6 Detailed Listing

Scanner Version: 5.40 Update: 16 Scan Description: 2006-02-20_10-45_VPM_1_55113 Configuration File: Advisory Machine Info: cs-adc-d01 OS: W2K3S Assessed: Yes Address: 10.65.11.50 ? ID: W2642 CVE-2005-2128 Risk: High Name: DirectShow Unchecked Buffer Vulnerability Specific Info %SystemRoot%\system32\quartz.dll; date: 2005/03/24 Web Site: http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx,

Description Solution Microsoft DirectShow is used for streaming media on Microsoft Install the DirectShow patch. Windows operating systems. DirectShow is used for high-quality capture and playback of multimedia streams. It automatically Go to detects and uses video and audio acceleration hardware when http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx, available, but also supports systems without acceleration find your affected software, and download and install the patch. hardware. It is also integrated with other DirectX technologies. There is an unchecked buffer in DirectShow. This is a remote MS05-050 supercedes MS03-030. code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system.

Print Date: 02/20/2006 Page 6 of 6