Server Error: 501 Not >> Implemented

From: Digest <deadmail>
To: "OS/2GenAu Digest"<deadmail>
Date: Mon, 6 Sep 2004 00:01:05 EST-10EDT,10,-1,0,7200,3,-1,0,7200,3600
Subject: [os2genau_digest] No. 933
Reply-To: <deadmail>
X-List-Unsubscribe: www.os2site.com/list/

**************************************************
Sunday 05 September 2004
 Number  933
**************************************************

Subjects for today
 
1  Re:  Broadband Internet Security : Dennis Nolan <dennik at swiftdsl dot com dot au>
2  Re:  Broadband Internet Security : Ken Laurie <ken.laurie at graeleah dot com>

**= Email   1 ==========================**

Date:  Sun, 05 Sep 2004 08:11:08 +1000
From:  Dennis Nolan <dennik at swiftdsl dot com dot au>
Subject:  Re:  Broadband Internet Security

Ken
Thanks for the help

I was unable to turn off the web server to the WAN, even though the 
router modem was configured to have it off, and when the web server was 
configured to be off for both WAN and LAN, it was still available on the 
WAN side.
I eventually redirected the port to a dummy address.
I did the same for ports 254 and 255.
Port 254 is configured for telenet access to the router modem, so it 
definately needed to be disabled.
Guess I'm going to have to contact Ntecomm about this.

Regards

Dennis.


Ken Laurie wrote:

> Dennis
>
> It appears that you have a web server running. Now is this on the eCS 
> box? I have found a little bit on WindWeb. It is a web server. This 
> site has details on it 
> http://www.roe.ac.uk/atc/projects/vista/software/VxWorks/docs/windweb/guide/c-arch.html 
> , whilst this site says it has something to do with CISCO web 
> accessible phone settings 
> http://myweb.cableone dot net/xnih/download/www.txt .
>
> After some more research I found a site that described a vulnerability 
> in version WindWeb 1.0 and it is on the ADSL  bridge/router.
>
> My advise would be to turn the WindWeb server off on the router if 
> possible, unless you need it for management of the router. If you 
> cannot turn it off then see if you can configure the outside of the 
> router to close port 80 or redirect port 80 to a non-existing machine 
> on the inside.
>
> You are not being paranoid because if you are running a server on the 
> router that somebody form the outside can get to then they can 
> potentially hack it and take over your router or DOS the router so you 
> no longer have access to the Internet. They can DOS you by crashing 
> the router or re-configuring it on you. It is worse when it wasn't you 
> that configured the server and you only found it by accident.
>
> I am running my own web server (Apache on eCS), firewalled and via a 
> router and I regularly check the logs and do a SheildsUp scan to make 
> sure nothing has changed. BTW my server is not generally available but 
> I still get scanned and have many Codered etc attacks run against it.
>
> If you want I can help out further via private email. Just for you 
> comfort I am a Security Specialist and I have a GSNA (GIAC Systems and 
> Network Audit from the SANS Institute) and I spend most of my day at 
> work working on IT security.
>
> regards
> Ken
>
> Dennis Nolan wrote:
>
>> Laurie
>>
>> I did as you sugested, finaly figured out what to put into the Hosts 
>> field ( the modem dotted quad) and this is the reply
>>                                                                        
>> HTTP/1.1 501 Not 
>> Implemented                                            Server: 
>> WindWeb/2.0                                                     
>> Connection: 
>> close                                                       
>> Content-Type: 
>> text/html                                                 
>>                                                                        
>> Web Server Error 
>> Report:<HR>                                            
>>                            <H1>Server Error: 501 Not 
>> Implemented</H1>  <P><HR><H2>URL parsing 
>> error</H2><P><P><HR><H1></H1><P>Session closed...
>>                                                                        
>> This seems to indicate a web server is active.
>>
>> Har det bra
>>
>> Dennis.
>>
>>
>> Ken Laurie wrote:
>>
>>> Dennis
>>>
>>> ShieldsUp is a good product to use to check what is seen from the 
>>> Internet. If port 80 is open there could be a number of reasons:
>>>
>>>    * The port is not closed on the router, the http server may not be
>>>      running but the port is still open.
>>>    * You might have DTOC running, which defaults to port 80.
>>>
>>> You can check by telneting to the box on port 80, by using the 
>>> telnet program under Internet utilities. Use vt100 and I got mine to 
>>> give info by hitting ctrl-c and then enter. If you cannot telnet to 
>>> the box on port 80 then port 80 is not open. You could also try one 
>>> of the port scanning programs such as JPSCAN (Java) or Portscan 
>>> (native os/2 program) to check what ports are open.
>>>
>>> Remember just because the router doesn't have port 80 explicitly 
>>> open it may be open by default.
>>>
>>> hth
>>>
>>> Ken
>>>
>>> Dennis Nolan wrote:
>>>
>>>> Hi all
>>>>
>>>> I come across a reference to www.grc dot com doing connection security 
>>>> scans, and so gave it a go.
>>>>
>>>> I went into the "ShieldsUp!" link and had it do various scanns.
>>>>
>>>> What surprised me is that I have three ports perminately OPEN
>>>>
>>>> The ports are Port 80 and Ports 254 and 255.
>>>>
>>>> Now Port 80 is the http server port, I've disabled the http server 
>>>> in the router/modem from the WAN side.  For now I'll keep it 
>>>> enabled from the  LAN  side.
>>>>
>>>> So somewhere in eCS a  http server seems to be running.
>>>>
>>>> Ports 254 and 255 are reserved, and should not be used.
>>>>
>>>> I can only think that I have allowed Remote Configuration to be 
>>>> installed during installation.
>>>>
>>>> Is there any way of finding out if a default eCS installation is 
>>>> enabeling and using these ports.
>>>>
>>>> Or am I or have I been paranoid/stupid???
>>>>
>>>> Regards
>>>>
>>>> Dennis.
>>>>
>>>>
> 
>>>>
>>>> 
>
>>>>
>>>>
>>>
 
>>>
>>> 

>>>
>>>
>>
> 
>>
>> 
>
>>
>>
>
 
>
> 

>
>

----------------------------------------------------------------------------------
 

**= Email   2 ==========================**

Date:  Sun, 05 Sep 2004 15:49:09 +1000
From:  Ken Laurie <ken.laurie at graeleah dot com>
Subject:  Re:  Broadband Internet Security

Dennis

Glad I could be of help.

regards
Ken

Dennis Nolan wrote:

> Ken
> Thanks for the help
>
> I was unable to turn off the web server to the WAN, even though the 
> router modem was configured to have it off, and when the web server 
> was configured to be off for both WAN and LAN, it was still available 
> on the WAN side.
> I eventually redirected the port to a dummy address.
> I did the same for ports 254 and 255.
> Port 254 is configured for telenet access to the router modem, so it 
> definately needed to be disabled.
> Guess I'm going to have to contact Ntecomm about this.
>
> Regards
>
> Dennis.
>
>
> Ken Laurie wrote:
>
>> Dennis
>>
>> It appears that you have a web server running. Now is this on the eCS 
>> box? I have found a little bit on WindWeb. It is a web server. This 
>> site has details on it 
>> http://www.roe.ac.uk/atc/projects/vista/software/VxWorks/docs/windweb/guide/c-arch.html 
>> , whilst this site says it has something to do with CISCO web 
>> accessible phone settings 
>> http://myweb.cableone dot net/xnih/download/www.txt .
>>
>> After some more research I found a site that described a 
>> vulnerability in version WindWeb 1.0 and it is on the ADSL  
>> bridge/router.
>>
>> My advise would be to turn the WindWeb server off on the router if 
>> possible, unless you need it for management of the router. If you 
>> cannot turn it off then see if you can configure the outside of the 
>> router to close port 80 or redirect port 80 to a non-existing machine 
>> on the inside.
>>
>> You are not being paranoid because if you are running a server on the 
>> router that somebody form the outside can get to then they can 
>> potentially hack it and take over your router or DOS the router so 
>> you no longer have access to the Internet. They can DOS you by 
>> crashing the router or re-configuring it on you. It is worse when it 
>> wasn't you that configured the server and you only found it by accident.
>>
>> I am running my own web server (Apache on eCS), firewalled and via a 
>> router and I regularly check the logs and do a SheildsUp scan to make 
>> sure nothing has changed. BTW my server is not generally available 
>> but I still get scanned and have many Codered etc attacks run against 
>> it.
>>
>> If you want I can help out further via private email. Just for you 
>> comfort I am a Security Specialist and I have a GSNA (GIAC Systems 
>> and Network Audit from the SANS Institute) and I spend most of my day 
>> at work working on IT security.
>>
>> regards
>> Ken
>>
>> Dennis Nolan wrote:
>>
>>> Laurie
>>>
>>> I did as you sugested, finaly figured out what to put into the Hosts 
>>> field ( the modem dotted quad) and this is the reply
>>>                                                                        
>>> HTTP/1.1 501 Not 
>>> Implemented                                            Server: 
>>> WindWeb/2.0                                                     
>>> Connection: 
>>> close                                                       
>>> Content-Type: 
>>> text/html                                                 
>>>                                                                        
>>> Web Server Error 
>>> Report:<HR>                                            
>>>                            <H1>Server Error: 501 Not 
>>> Implemented</H1>  <P><HR><H2>URL parsing 
>>> error</H2><P><P><HR><H1></H1><P>Session closed...
>>>                                                                        
>>> This seems to indicate a web server is active.
>>>
>>> Har det bra
>>>
>>> Dennis.
>>>
>>>
>>> Ken Laurie wrote:
>>>
>>>> Dennis
>>>>
>>>> ShieldsUp is a good product to use to check what is seen from the 
>>>> Internet. If port 80 is open there could be a number of reasons:
>>>>
>>>>    * The port is not closed on the router, the http server may not be
>>>>      running but the port is still open.
>>>>    * You might have DTOC running, which defaults to port 80.
>>>>
>>>> You can check by telneting to the box on port 80, by using the 
>>>> telnet program under Internet utilities. Use vt100 and I got mine 
>>>> to give info by hitting ctrl-c and then enter. If you cannot telnet 
>>>> to the box on port 80 then port 80 is not open. You could also try 
>>>> one of the port scanning programs such as JPSCAN (Java) or Portscan 
>>>> (native os/2 program) to check what ports are open.
>>>>
>>>> Remember just because the router doesn't have port 80 explicitly 
>>>> open it may be open by default.
>>>>
>>>> hth
>>>>
>>>> Ken
>>>>
>>>> Dennis Nolan wrote:
>>>>
>>>>> Hi all
>>>>>
>>>>> I come across a reference to www.grc dot com doing connection security 
>>>>> scans, and so gave it a go.
>>>>>
>>>>> I went into the "ShieldsUp!" link and had it do various scanns.
>>>>>
>>>>> What surprised me is that I have three ports perminately OPEN
>>>>>
>>>>> The ports are Port 80 and Ports 254 and 255.
>>>>>
>>>>> Now Port 80 is the http server port, I've disabled the http server 
>>>>> in the router/modem from the WAN side.  For now I'll keep it 
>>>>> enabled from the  LAN  side.
>>>>>
>>>>> So somewhere in eCS a  http server seems to be running.
>>>>>
>>>>> Ports 254 and 255 are reserved, and should not be used.
>>>>>
>>>>> I can only think that I have allowed Remote Configuration to be 
>>>>> installed during installation.
>>>>>
>>>>> Is there any way of finding out if a default eCS installation is 
>>>>> enabeling and using these ports.
>>>>>
>>>>> Or am I or have I been paranoid/stupid???
>>>>>
>>>>> Regards
>>>>>
>>>>> Dennis.
>>>>>
>>>>>
>> 
>>>>>
>>>>> 
>>
>>>>>
>>>>>
>>>>
> 
>>>>
>>>> 
>
>>>>
>>>>
>>>
 
>>>
>>> 

>>>
>>>
>>
> 
>>
>> 
>
>>
>>
>
 
>
> 

>
>

----------------------------------------------------------------------------------