-
June 29th, 2004, 06:28 PM
#1
Junior Member
Port 80 listen without WebServer?
Hi,
I have a RedHat/Conectiva 8 and i runned nessus and i received the follow message:
Security Note: Port: www-http ( tcp/80)
But i don't a web server running. I runned the chkrootkit and it doesn't find nothing. The same to Clamav, that doesn't find nothing. The netstat -anp doesn't show port 80 too. But when i run the nmap from other computer, the port 80 is listening.
Anyone can help me?
Thanks
-
June 29th, 2004, 06:37 PM
#2
Hmm, can you paste us the nmap and the netstat results here? Maybe you are a victim of a 'cloak' attack, which means your 'netstat' application has been substituted with something malicous?
Cheers.
/edit-addon
I dont know about redhat, but try and see if you can use :
netstat -patune
make sure you run that as user root.... but first lets try and find out that your 'netstat' is what its supposed to be, so try it without root first.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
June 29th, 2004, 07:08 PM
#3
You can also try bringing up your ip in a web browser to know if its a web server or alternatively telnet or ssh into port 80 on your box and see what you get. Might be interesting or shed some light on things.
<chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times
-
June 29th, 2004, 07:08 PM
#4
Junior Member
I changed my original IP for one fake: 200.201.202.203
The netstat result:
Conexões Internet Ativas (servidores e estabelecidas)
Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado Usuário PID/Program name
tcp 0 0 0.0.0.0:548 0.0.0.0:* OUÇA 0 1915 1109/afpd
tcp 0 0 0.0.0.0:139 0.0.0.0:* OUÇA 0 1954 1131/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* OUÇA 0 1029 744/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 0 1162 904/sshd
tcp 0 0 0.0.0.0:3128 0.0.0.0:* OUÇA 0 1832 1052/(squid)
tcp 0 0 0.0.0.0:25 0.0.0.0:* OUÇA 0 1298 1007/master
tcp 0 0 127.0.0.1:32769 127.0.0.1:32768 ESTABELECIDA100 1573 1052/(squid)
tcp 0 0 127.0.0.1:32768 127.0.0.1:32769 ESTABELECIDA100 1574 1053/(ncsa_auth)
tcp 0 0 127.0.0.1:32771 127.0.0.1:32770 ESTABELECIDA100 1576 1052/(squid)
tcp 0 0 127.0.0.1:32770 127.0.0.1:32771 ESTABELECIDA100 1577 1054/(ncsa_auth)
tcp 0 0 200.201.202.203:22 200.201.202.204:32769 ESTABELECIDA0 2366 1234/sshd
tcp 0 0 192.168.100.1:139 192.168.100.7:1541 ESTABELECIDA0 2360 1233/smbd
tcp 0 16 192.168.100.1:548 192.168.100.2:49154 ESTABELECIDA0 2328 1230/afpd
tcp 0 0 192.168.100.1:548 192.168.100.3:49155 ESTABELECIDA0 2320 1226/afpd
tcp 0 0 127.0.0.1:32773 127.0.0.1:32772 ESTABELECIDA100 1579 1052/(squid)
tcp 0 0 127.0.0.1:32772 127.0.0.1:32773 ESTABELECIDA100 1580 1055/(ncsa_auth)
tcp 0 0 192.168.100.1:139 192.168.100.6:3074 ESTABELECIDA0 2305 1222/smbd
tcp 0 0 192.168.100.1:548 192.168.100.5:49155 ESTABELECIDA0 2310 1223/afpd
tcp 0 0 127.0.0.1:32775 127.0.0.1:32774 ESTABELECIDA100 1582 1052/(squid)
tcp 0 0 127.0.0.1:32774 127.0.0.1:32775 ESTABELECIDA100 1583 1056/(ncsa_auth)
tcp 0 0 127.0.0.1:32777 127.0.0.1:32776 ESTABELECIDA100 1585 1052/(squid)
tcp 0 0 127.0.0.1:32776 127.0.0.1:32777 ESTABELECIDA100 1586 1057/(ncsa_auth)
tcp 0 0 200.201.202.203:22 200.201.202.204:33011 ESTABELECIDA0 5599 1300/sshd
udp 0 0 127.0.0.1:32768 127.0.0.1:32769 ESTABELECIDA100 1836 1083/(pinger)
udp 0 0 127.0.0.1:32769 127.0.0.1:32768 ESTABELECIDA100 1837 1052/(squid)
udp 0 0 0.0.0.0:32770 0.0.0.0:* 100 1571 1052/(squid)
udp 0 0 127.0.0.1:32773 0.0.0.0:* 0 2306 1222/smbd
udp 0 0 127.0.0.1:32774 0.0.0.0:* 0 2361 1233/smbd
udp 0 0 200.201.202.203:137 0.0.0.0:* 0 1977 1144/nmbd
udp 0 0 192.168.100.1:137 0.0.0.0:* 0 1975 1144/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 0 1968 1144/nmbd
udp 0 0 200.201.202.203:138 0.0.0.0:* 0 1978 1144/nmbd
udp 0 0 192.168.100.1:138 0.0.0.0:* 0 1976 1144/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 0 1969 1144/nmbd
udp 0 0 0.0.0.0:3130 0.0.0.0:* 0 1833 1052/(squid)
udp 0 0 0.0.0.0:3401 0.0.0.0:* 0 1835 1052/(squid)
udp 0 0 0.0.0.0:4827 0.0.0.0:* 0 1834 1052/(squid)
udp 0 0 0.0.0.0:111 0.0.0.0:* 0 1009 744/portmap
The nmap result:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (200.201.202.203) appears to be up ... good.
Initiating Connect() Scan against 200-201-202-203
Adding open port 80/tcp
The Connect() Scan took 0 seconds to scan 1 ports.
Interesting ports on (200.201.202.203):
Port State Service
80/tcp open http
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Thanks by help
-
June 29th, 2004, 07:11 PM
#5
hum, do you have a iptables redirect running on that? redirecting port 80 to squid...
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 29th, 2004, 07:14 PM
#6
Well the service in question would be "Pinger". It requires the use of a webserver and may just be providing one. Kill that process and then run nmap.
<chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times
-
June 29th, 2004, 07:26 PM
#7
Junior Member
Thanks by help, but i kill the pinger and the nmap continue showing port 80. There isn't iptables redirect too.
-
June 29th, 2004, 07:32 PM
#8
ok, that is odd.
Did you read all netfilters entries on that machine? no redirect - ok, nat? mangle?
if not, try to run an netstat from an external disk (a trusted one). if you got a rootkit, netstat,ps and top commands are compromised.....
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 29th, 2004, 07:46 PM
#9
If its not pinger then the only other thing i would imagine it to be, is squid. Your best bet would be to kill processes and nmap afterwards to find the culprit. May not be the fastest or easiest way but its almost guaranteed to work.
<chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times
-
June 29th, 2004, 07:47 PM
#10
You might just grab the 'lsof' utility and run it. It can tell you what service is actually using the port. The details are in the man pages, there are also plenty of tutorials for it on the net.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|