我的伺服器經常被入侵
該設定的設定了 禁用服務  禁用埠  許可權
我只開了倆高管賬號 其他全部禁用  預設共享除了IPC$刪除不了 其他全刪了
IIS裝了 後來把IIS服務都禁用了 現在用的阿帕奇的
但是看日誌總有人通過IIS入侵我  總有通過主機名$ 訪問的
下面是我用Xscan掃的結果
www (80/tcp) 開放服務

"WEB"服務運行於該埠
BANNER資訊 :

HTTP/1.1 200 OK
Date: Mon, 27 Oct 2008 08:19:31 GMT
Server: Apache/2.2.4 (Win32) PHP/5.2.4
X-Powered-By: PHP/5.2.4
Set-Cookie: USR=ZoXnACdO%09%091225095571%09http%3A%2F%2F%2F
Connection: close
Content-Type: text/html
charset=gb2312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
-->
<head>
<title>??????????????? </title>
<link rel="
NESSUS_ID : 10330

提示 www (80/tcp) http TRACE 跨站攻擊

你的webserver支援TRACE 和/或 TRACK 方式。 TRACE和TRACK是用來除錯web伺服器連線的HTTP方式。

支援該方式的伺服器存在跨站指令碼漏洞，通常在描述各種瀏覽器缺陷的時候，把"Cross-Site-Tracing"簡稱為XST。

攻擊者可以利用此漏洞欺騙合法使用者並得到他們的私人資訊。

解決方案: 禁用這些方式。


如果你使用的是Apache, 在各虛擬主機的配置檔案裡新增如下語句:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

如果你使用的是Microsoft IIS, 使用URLScan工具禁用HTTP TRACE請求，或者只開放滿足站點需求和策略的方式。

如果你使用的是Sun ONE Web Server releases 6.0 SP2 或者更高的版本, 在obj.conf檔案的預設object section裡新增下面的語句:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

如果你使用的是Sun ONE Web Server releases 6.0 SP2 或者更低的版本, 編譯如下地址的NSAPI外掛:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603


參見http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/ar ... h/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593

風險等級: 中
___________________________________________________________________


The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to
give him their credentials.


Solution :
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


See also

http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BUGTRAQ_ID : 9506, 9561, 11604
NESSUS_ID : 11213

提示 www (80/tcp) 目錄掃描器

該外掛試圖確認遠端主機上存在的各普通目錄
___________________________________________________________________

The following directories were discovered:
/admin, /phpMyAdmin, /shop, /member

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

NESSUS_ID : 11032
Other references : OWASP:OWASP-CM-006

提示 www (80/tcp) HTTP 伺服器型別及版本

發現 HTTP 伺服器的型別及版本號.

解決方案: 配置伺服器經常更改名稱,如:'Wintendo httpD w/Dotmatrix display'
確保移除類似 apache_pb.gif 帶有 Apache 的通用標誌, 可以設定 'ServerTokens Prod' 為受限
該資訊來源於伺服器本身的響應首部.

風險等級 : 低
___________________________________________________________________

The remote web server type is :

Apache/2.2.4 (Win32) PHP/5.2.4


Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
NESSUS_ID : 10107

提示 ftp (21/tcp) 開放服務

"FTP"服務運行於該埠.
BANNER資訊 :

220 Serv-U FTP Server v7.0 ready...
NESSUS_ID : 10330

提示 ftp (21/tcp) FTP服務的版本和型別

通過登陸目標伺服器並經過緩衝器接收可查出FTP服務的型別和版本。這些註冊過的標識資訊將給予潛在的攻擊者們關於他們要攻擊的系統的額外資訊。版本和型別會在可能的地方被洩露。

解決方案：將這些註冊過的標識資訊轉變為普通類別的資訊。。

風險等級：低
___________________________________________________________________

Remote FTP server banner :
220 Serv-U FTP Server v7.0 ready...
NESSUS_ID : 10092

提示 Windows Terminal Services (3389/tcp) 開放服務

"Windows Terminal Services"服務可能運行於該埠.

NESSUS_ID : 10330

提示 Windows Terminal Services (3389/tcp) Windows Terminal Service Enabled


The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution : Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor : Low
BUGTRAQ_ID : 3099, 7258
NESSUS_ID : 10940

提示 unknown (1935/tcp) 開放服務

未知服務運行於該埠.

NESSUS_ID : 10330

警告 www (8080/tcp) Web Server Cross Site Scripting


The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url :

http://124.42.124.131:8080/<SCRIPT>foo</SCRIPT>

Risk factor : Medium

Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
- http://www.securiteam.com/window ... _vulnerability.html
. Apache:
- http://httpd.apache.org/info/css-security/
CVE_ID : CVE-2002-1060
BUGTRAQ_ID : 5305, 7344, 7353, 8037, 9245
NESSUS_ID : 10815

警告 www (8080/tcp) Test HTTP dangerous methods

It seems that the PUT method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : High
BUGTRAQ_ID : 12141
NESSUS_ID : 10498
Other references : OWASP:OWASP-CM-001

警告 www (8080/tcp) Test HTTP dangerous methods

It seems that the DELETE method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : Medium
BUGTRAQ_ID : 12141
NESSUS_ID : 10498
Other references : OWASP:OWASP-CM-001

提示 www (8080/tcp) 開放服務

"WEB"服務運行於該埠
BANNER資訊 :

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"8144-1201559974000"
Last-Modified: Mon, 28 Jan 2008 22:39:34 GMT
Content-Type: text/html
Content-Length: 8144
Date: Mon, 27 Oct 2008 08:19:41 GMT
Connection: close

<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file
NESSUS_ID : 10330

提示 www (8080/tcp) 目錄掃描器

該外掛試圖確認遠端主機上存在的各普通目錄
___________________________________________________________________

The following directories were discovered:
/1, /admin, /docs

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

NESSUS_ID : 11032
Other references : OWASP:OWASP-CM-006

提示 www (8080/tcp) HTTP 伺服器型別及版本

發現 HTTP 伺服器的型別及版本號.

解決方案: 配置伺服器經常更改名稱,如:'Wintendo httpD w/Dotmatrix display'
確保移除類似 apache_pb.gif 帶有 Apache 的通用標誌, 可以設定 'ServerTokens Prod' 為受限
該資訊來源於伺服器本身的響應首部.

風險等級 : 低
___________________________________________________________________

The remote web server type is :

Apache-Coyote/1.1

and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.

NESSUS_ID : 10107

提示 www (8080/tcp) Apache UserDir Sensitive Information Disclosure

An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.


Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.

Or

2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1

Or

3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).

Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html


Risk factor : Low
CVE_ID : CAN-2001-1013
BUGTRAQ_ID : 3335
NESSUS_ID : 10766

提示 MySql (3306/tcp) 開放服務

"MySql"服務可能運行於該埠.

NESSUS_ID : 10330

警告 msrdp (3389/tcp) Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability


The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.

An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).

See Also : http://www.oxid.it/downloads/rdp-gbu.pdf
Solution : None at this time.
Risk factor : Medium
CVE_ID : CAN-2005-1794
BUGTRAQ_ID : 13818
NESSUS_ID : 18405

可能有些多 麻煩高手了 我應該如何繼續設定
80 和8080斷開是主站程式要用到的關不了 21 是往伺服器上傳檔案的
3389是遠端桌面的 這些都關不了 怎麼設定