Database found within Websense with SA and blank password

Last week I found a database running on port 8203 from the Websense server that was using SA with a blank password.  We opened a ticket with Websense and they confirmed my findings with the current version.  They have not issued a solution yet.  It appears to be a test database but for what?  It was really funny how it was found since it passed our quick vulnerablity scan from neXpose.   Now this is not an issue from neXpose as I was using the default Full Audit profile as part of the final risk assessment.  Shame on me for not scanning all ports since it probably utilizes a nmap scan over the typical/frequently used ports.  As you can see a syn scan from nmap reveals the following ports

nmap -sS -vv -PN websense-server-ip

PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1801/tcp  open  unknown
2103/tcp  open  zephyr-clt
2105/tcp  open  eklogin
2107/tcp  open  unknown
3389/tcp  open  ms-term-serv
9010/tcp  open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown

However now we include the port range.

nmap -sS -vv -PN websense-server-ip -p8000-8999

PORT     STATE SERVICE
8203/tcp open  unknown

So now I perform an nmap to find the version running

nmap -sV -vv -PN websense-server-ip -p8203

PORT     STATE SERVICE VERSION
8203/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit
SF-Port8203-TCP:V=5.21%I=7%D=4/18%Time=4F8F2BE0%P=i686-pc-windows-windows%
SF:r(GetRequest,435,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\
SF:r\nCache-Control:\x20no-cache\r\nContent-Length:\x20987\r\n\r\n<!DOCTYP
SF:E\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//
SF:EN\"\x20\"http://www\.w3\.org/TR/html4/loose\.dtd\">\n<!--\nCopyright\x
SF:202004-2010\x20H2\x20Group\.\nMultiple-Licensed\x20under\x20the\x20H2\x
SF:20License,\x20Version\x201\.0,\nand\x20under\x20the\x20Eclipse\x20Publi
SF:c\x20License,\x20Version\x201\.0\n\(http://h2database\.com/html/license
SF:\.html\)\.\nInitial\x20Developer:\x20H2\x20Group\n-->\n<html><head>\n\x
SF:20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/ht
SF:ml;charset=utf-8\"\x20/>\n\x20\x20\x20\x20<title>H2\x20Console</title>\
SF:n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/css\"\x20hr
SF:ef=\"stylesheet\.css\"\x20/>\n<script\x20type=\"text/javascript\">\nloc
SF:ation\.href\x20=\x20&;login\.jsp\?jsessionid=7b0fad65256a5af011297eb3980
SF:66319&;;\n</script>\n</head>\n<body\x20style=\"margin:\x2020px;\">\n\n<h
SF:1>Welcome\x20to\x20H2</h1>\n<h2>No\x20Javascript</h2>\nIf\x20you\x20are
SF:\x20not\x20automatically\x20redirected\x20to\x20the\x20login\x20page,\x
SF:20then\nJavascript\x20is\x20currently\x20disabled\x20or\x20your\x20brow
SF:se")%r(FourOhFourRequest,2AC,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x
SF:20text/html\r\nCache-Control:\x20no-cache\r\nContent-Length:\x20594\r\n
SF:\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Tr
SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/html4/loose\.dtd\">\n<!--\
SF:nCopyright\x202004-2010\x20H2\x20Group\.\nMultiple-Licensed\x20under\x2
SF:0the\x20H2\x20License,\x20Version\x201\.0,\nand\x20under\x20the\x20Ecli
SF:pse\x20Public\x20License,\x20Version\x201\.0\n\(http://h2database\.com/
SF:html/license\.html\)\.\nInitial\x20Developer:\x20H2\x20Group\n-->\n<htm
SF:l><head>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20conte
SF:nt=\"text/html;charset=utf-8\"\x20/>\n\x20\x20\x20\x20<title>\${text\.a
SF:\.title}</title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\
SF:"text/css\"\x20href=\"stylesheet\.css\"\x20/>\n</head>\n<body\x20margin
SF:=\"10\">\n\x20\x20\x20\x20<p\x20class=\"error\">\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\${error}\n\x20\x20\x20\x20</p>\n</body></html>");

 

Still unknown but check out the bold part of the fingerprint.  So lets try connecting via port 8203 via a web browser.  Viola, see below

Now click connect.

 

And there you have it.  Connection to the Websense server most likely a test database for something but nonetheless.  If your running websense you may want to see if this is open.  Also if anyone has information about this please comment.  Websense has not provided us anything yet.

Websense said they will remove this test database in their next release of code and did not provide an explaination.  Does anyone know what this is?  Looks like it may have something to do with an Oracle/Java.  See next screenshot below Java Hotspot.