Overview: This host is running Apache httpd web server and is prone to denial
  of service vulnerability.
  Vulnerability Insight:
  The flaw is caused the way Apache httpd web server handles certain requests
  with multiple overlapping ranges, which causes significant memory and CPU
  usage on the server leading to application crash and system can become
  unstable.
  Impact:
  Successful exploitation will let the remote unauthenticated attackers to
  cause a denial of service.
  Impact Level: System/Application
  Affected Software/OS:
  Apache 1.3.x, 2.0.x through 2.0.64 and 2.2.x through 2.2.19
  Fix: Please refer below link for fix and mitigate this issue until full fix,
  http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3CCAAPSnn2PO-d-C4nQt_TES?
2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3E
  http://marc.info/?l=apache-httpd-dev&m=131420013520206&w=2
  References:
  http://www.exploit-db.com/exploits/17696
  http://packetstormsecurity.org/files/view/104441
  http://marc.info/?l=apache-httpd-dev&m=131420013520206&w=2
  
CVE : CVE-2011-3192
BID : 49303

Overview:
A weakness has been discovered in Apache web servers that are
configured to use the FileETag directive. Due to the way in which
Apache generates ETag response headers, it may be possible for an
attacker to obtain sensitive information regarding server files.
Specifically, ETag header fields returned to a client contain the
file's inode number.
Exploitation of this issue may provide an attacker with information
that may be used to launch further attacks against a target network.
OpenBSD has released a patch that addresses this issue. Inode numbers
returned from the server are now encoded using a private hash to avoid
the release of sensitive information.
Solution:
OpenBSD has released a patch to address this issue.
Novell has released TID10090670 to advise users to apply the available
workaround of disabling the directive in the configuration file for
Apache releases on NetWare. Please see the attached Technical
Information Document for further details.
References:
https://www.securityfocus.com/bid/6939
http://httpd.apache.org/docs/mod/core.html#fileetag
http://www.openbsd.org/errata32.html
http://support.novell.com/docs/Tids/Solutions/10090670.html
Information that was gathered:
Inode: 267606
Size: 177
CVE : CVE-2003-1418
BID : 6939

 Overview:
  The Mailserver on this host answers to VRFY and/or EXPN requests.
  VRFY and EXPN ask the server for information about an address. They are
  inherently unusable through firewalls, gateways, mail exchangers for part-time
  hosts, etc. OpenVAS suggests that, if you really want to publish this type of
  information, you use a mechanism that legitimate users actually know about,
  such as Finger or HTTP. 
 Solution:
  Disable VRFY and/or EXPN on your Mailserver. 
  For postfix add 'disable_vrfy_command=yes' in 'main.cf'. 
  For Sendmail add the option 'O PrivacyOptions=goaway'.
 See also:
  http://cr.yp.to/smtp/vrfy.html
Details:
'VRFY root' produces the following answer: 252 2.0.0 root

  Overview: The host is running TCP services and is prone to denial of service
  vulnerability.
  Vulnerability Insight:
  The flaw is triggered when spoofed TCP Reset packets are received by the
  targeted TCP stack and will result in loss of availability for the attacked
  TCP services.
  Impact:
  Successful exploitation will allow remote attackers to guess sequence numbers
  and cause a denial of service to persistent TCP connections by repeatedly
  injecting a TCP RST packet.
  Impact Level: System
  Affected Software/OS:
  TCP
  Fix: Please see the referenced advisories for more information on obtaining
  and applying fixes.
  References:
  http://www.osvdb.org/4030
  http://xforce.iss.net/xforce/xfdb/15886
  http://www.us-cert.gov/cas/techalerts/TA04-111A.html
  http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949
  http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950
  http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006
  http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx
  http://www.microsoft.com/technet/security/bulletin/ms06-064.mspx
  http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html
  http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html 
CVE : CVE-2004-0230
BID : 10183

Here is the route from 5.0.22.228 to 5.0.22.149
5.0.22.228
5.0.22.149

Synopsis :
The remote service implements TCP timestamps.
Description :
The remote host implements TCP timestamps, as defined by RFC1323.
A side effect of this feature is that the uptime of the remote 
host can sometimes be computed.
See also :
http://www.ietf.org/rfc/rfc1323.txt

A web server is running on this port

The remote web server type is :
Apache/2.2.14 (Ubuntu)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.

The following directories were discovered:
/admin, /cgi-bin, /icons, /ganglia
While this is not, in and of itself, a bug, you should manually inspect 
these directories to ensure that they are in compliance with company
security standards
Other references : OWASP:OWASP-CM-006

Ganglia monitoring daemon seems to be running on this port

An SMTP server is running on this port
Here is its banner : 
220 ubuntu-testing.tag.internal ESMTP Postfix (Ubuntu)

Remote SMTP server banner :
220 ubuntu-testing.tag.internal ESMTP Postfix (Ubuntu)
This is probably: Postfix

Overview:
The remote Mailserver supports the STARTTLS command.

An ssh server is running on this port

RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on port 111

RPC program #100024 version 1 'status' is running on port 57035

RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on port 111

RPC program #100024 version 1 'status' is running on port 41700

5.0.22.149|cpe:/a:apache:http_server:2.2.14
5.0.22.149|cpe:/a:openbsd:openssh:5.3p1
5.0.22.149|cpe:/o:canonical:ubuntu_linux

traceroute:5.0.22.228,5.0.22.149
TCP ports:111,22,25,8649,80
UDP ports:

Overview:
The remote host responded to an ICMP timestamp request. The Timestamp Reply is
an ICMP message which replies to a Timestamp message. It consists of the
originating timestamp sent by the sender of the Timestamp as well as a receive
timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services.
See also:
http://www.ietf.org/rfc/rfc0792.txt
CVE : CVE-1999-0524

Detected Apache version 2.2.14
CPE: cpe:/a:apache:http_server:2.2.14
Concluded from version identification result:
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 15:39:09 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Fri, 04 May 2012 08:13:09 GMT
ETag: "41556-b1-4bf317daf6c0c"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

Open UDP ports: [None found]

ICMP based OS fingerprint results: (100% confidence)
Linux Kernel

Open TCP ports: 111, 22, 25, 8649, 80

Arachni could not be found in your system path.
OpenVAS was unable to execute Arachni and to perform the scan you
requested.
Please make sure that Arachni is installed and that arachni is
available in the PATH variable defined for your environment.

DIRB could not be found in your system path.
OpenVAS was unable to execute DIRB and to perform the scan you
requested.
Please make sure that DIRB is installed and is
available in the PATH variable defined for your environment.

Nikto could not be found in your system path.
OpenVAS was unable to execute Nikto and to perform the scan you
requested.
Please make sure that Nikto is installed and that nikto.pl or nikto is
available in the PATH variable defined for your environment.

Information about this scan : 
OpenVAS version : 4.0.6
Plugin feed version : 201205071204
Type of plugin feed : OpenVAS NVT Feed
Scanner IP : 5.0.22.228
Port scanner(s) : nmap 
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan Start Date : 2012/5/14 16:39
Scan duration : 1185 sec

Open port.

wapiti could not be found in your system path.
OpenVAS was unable to execute wapiti and to perform the scan you
requested.
Please make sure that wapiti is installed and that wapiti is
available in the PATH variable defined for your environment.

Open port.

Open port.

Open port.

No SSH credentials were supplied.
Hence local security checks are not enabled.

Detected SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
Remote SSH supported authentication: publickey,password
Remote SSH banner: 
(not available)
CPE: cpe:/a:openbsd:openssh:5.3p1
Concluded from remote connection attempt with credentials:
  Login: OpenVAS
  Password: OpenVAS

The remote SSH Server supports the following SSH Protocol Versions:
1.99
2.0
SSHv2 Fingerprint: 43:76:aa:34:de:16:66:7f:26:b3:0a:72:7d:9c:2c:14

Open port.