Scripts flagged by Nessus via port 2222

T

tony1234

Verified User
Joined
Jul 25, 2005
Messages
71
My Nessus scan showed these scripts as high-risk on tcp/2222, which is the DirectAdmin port. First off, where are these located, and secondly should I get rid of them or are they needed for DirectAdmin?

Nessus's info:

One or more copies of the 'cmd.asp' script were found, this ASP script can be used to execute commands over the web, on IIS 4.0 it executes with SYSTEM privileges.
Details:
cmd.asp - /scripts/cmdasp.asp
cmd.asp - /scripts/cmd.asp
cmd.asp - /scripts/shell.asp
cmd.asp - /scripts/own.asp
cmd.asp - /scripts/0wn.asp
cmd.asp - /scripts/exec.asp
cmd.asp - /scripts/x.asp
cmd.asp - /msadc/cmdasp.asp
cmd.asp - /msadc/cmd.asp
cmd.asp - /msadc/shell.asp
cmd.asp - /msadc/own.asp
cmd.asp - /msadc/0wn.asp
cmd.asp - /msadc/exec.asp
cmd.asp - /msadc/x.asp
 
tony1234 said:
My Nessus scan showed these scripts as high-risk on tcp/2222, which is the DirectAdmin port. First off, where are these located, and secondly should I get rid of them or are they needed for DirectAdmin?

Nessus's info:

One or more copies of the 'cmd.asp' script were found, this ASP script can be used to execute commands over the web, on IIS 4.0 it executes with SYSTEM privileges.
Details:
cmd.asp - /scripts/cmdasp.asp
cmd.asp - /scripts/cmd.asp
cmd.asp - /scripts/shell.asp
cmd.asp - /scripts/own.asp
cmd.asp - /scripts/0wn.asp
cmd.asp - /scripts/exec.asp
cmd.asp - /scripts/x.asp
cmd.asp - /msadc/cmdasp.asp
cmd.asp - /msadc/cmd.asp
cmd.asp - /msadc/shell.asp
cmd.asp - /msadc/own.asp
cmd.asp - /msadc/0wn.asp
cmd.asp - /msadc/exec.asp
cmd.asp - /msadc/x.asp
Click to expand...

2222 is the control panel port. This is where the webservers runs at.

Your details you listed aren't correct and as stated IIS and ASP, wich both DA doesn't use. IIS is windows and DA is *nix!
 
Ok, port 2222 is the control panel port, yes, sorry.

But I ran nessuswx from my windows pc and targeted my nix server. (CentOS 4.1, DirectAdmin), and got this warning for Service: unknown (2222/tcp)
Severity: High
(with the details in my original post)

It is correctly scanning my nix server, from all the other warnings and port analysis.

So what is this telling me?
 
It's telling you the port is open and responses. Very normally offcourse. Why the severity is high I don't know. Much simple scanners just look in their databases wich trojans run on wich ports and probably 2222 is also used by some trojan that has a "high" severity.
 
It's high because nessus is presuming WIndows/IIS. The programs listed are all .asp programs from WIndows/IIS.

Jeff
 
You must log in or register to reply here.
Back
Top