Port 80 listen without WebServer?
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 34

Thread: Port 80 listen without WebServer?

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    25

    Port 80 listen without WebServer?

    Hi,

    I have a RedHat/Conectiva 8 and i runned nessus and i received the follow message:

    Security Note: Port: www-http ( tcp/80)

    But i don't a web server running. I runned the chkrootkit and it doesn't find nothing. The same to Clamav, that doesn't find nothing. The netstat -anp doesn't show port 80 too. But when i run the nmap from other computer, the port 80 is listening.

    Anyone can help me?

    Thanks

  2. #2
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hmm, can you paste us the nmap and the netstat results here? Maybe you are a victim of a 'cloak' attack, which means your 'netstat' application has been substituted with something malicous?

    Cheers.


    /edit-addon

    I dont know about redhat, but try and see if you can use :

    netstat -patune

    make sure you run that as user root.... but first lets try and find out that your 'netstat' is what its supposed to be, so try it without root first.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    You can also try bringing up your ip in a web browser to know if its a web server or alternatively telnet or ssh into port 80 on your box and see what you get. Might be interesting or shed some light on things.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  4. #4
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    I changed my original IP for one fake: 200.201.202.203

    The netstat result:

    Conexões Internet Ativas (servidores e estabelecidas)
    Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado Usuário PID/Program name
    tcp 0 0 0.0.0.0:548 0.0.0.0:* OUÇA 0 1915 1109/afpd
    tcp 0 0 0.0.0.0:139 0.0.0.0:* OUÇA 0 1954 1131/smbd
    tcp 0 0 0.0.0.0:111 0.0.0.0:* OUÇA 0 1029 744/portmap
    tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 0 1162 904/sshd
    tcp 0 0 0.0.0.0:3128 0.0.0.0:* OUÇA 0 1832 1052/(squid)
    tcp 0 0 0.0.0.0:25 0.0.0.0:* OUÇA 0 1298 1007/master
    tcp 0 0 127.0.0.1:32769 127.0.0.1:32768 ESTABELECIDA100 1573 1052/(squid)
    tcp 0 0 127.0.0.1:32768 127.0.0.1:32769 ESTABELECIDA100 1574 1053/(ncsa_auth)
    tcp 0 0 127.0.0.1:32771 127.0.0.1:32770 ESTABELECIDA100 1576 1052/(squid)
    tcp 0 0 127.0.0.1:32770 127.0.0.1:32771 ESTABELECIDA100 1577 1054/(ncsa_auth)
    tcp 0 0 200.201.202.203:22 200.201.202.204:32769 ESTABELECIDA0 2366 1234/sshd
    tcp 0 0 192.168.100.1:139 192.168.100.7:1541 ESTABELECIDA0 2360 1233/smbd
    tcp 0 16 192.168.100.1:548 192.168.100.2:49154 ESTABELECIDA0 2328 1230/afpd
    tcp 0 0 192.168.100.1:548 192.168.100.3:49155 ESTABELECIDA0 2320 1226/afpd
    tcp 0 0 127.0.0.1:32773 127.0.0.1:32772 ESTABELECIDA100 1579 1052/(squid)
    tcp 0 0 127.0.0.1:32772 127.0.0.1:32773 ESTABELECIDA100 1580 1055/(ncsa_auth)
    tcp 0 0 192.168.100.1:139 192.168.100.6:3074 ESTABELECIDA0 2305 1222/smbd
    tcp 0 0 192.168.100.1:548 192.168.100.5:49155 ESTABELECIDA0 2310 1223/afpd
    tcp 0 0 127.0.0.1:32775 127.0.0.1:32774 ESTABELECIDA100 1582 1052/(squid)
    tcp 0 0 127.0.0.1:32774 127.0.0.1:32775 ESTABELECIDA100 1583 1056/(ncsa_auth)
    tcp 0 0 127.0.0.1:32777 127.0.0.1:32776 ESTABELECIDA100 1585 1052/(squid)
    tcp 0 0 127.0.0.1:32776 127.0.0.1:32777 ESTABELECIDA100 1586 1057/(ncsa_auth)
    tcp 0 0 200.201.202.203:22 200.201.202.204:33011 ESTABELECIDA0 5599 1300/sshd
    udp 0 0 127.0.0.1:32768 127.0.0.1:32769 ESTABELECIDA100 1836 1083/(pinger)
    udp 0 0 127.0.0.1:32769 127.0.0.1:32768 ESTABELECIDA100 1837 1052/(squid)
    udp 0 0 0.0.0.0:32770 0.0.0.0:* 100 1571 1052/(squid)
    udp 0 0 127.0.0.1:32773 0.0.0.0:* 0 2306 1222/smbd
    udp 0 0 127.0.0.1:32774 0.0.0.0:* 0 2361 1233/smbd
    udp 0 0 200.201.202.203:137 0.0.0.0:* 0 1977 1144/nmbd
    udp 0 0 192.168.100.1:137 0.0.0.0:* 0 1975 1144/nmbd
    udp 0 0 0.0.0.0:137 0.0.0.0:* 0 1968 1144/nmbd
    udp 0 0 200.201.202.203:138 0.0.0.0:* 0 1978 1144/nmbd
    udp 0 0 192.168.100.1:138 0.0.0.0:* 0 1976 1144/nmbd
    udp 0 0 0.0.0.0:138 0.0.0.0:* 0 1969 1144/nmbd
    udp 0 0 0.0.0.0:3130 0.0.0.0:* 0 1833 1052/(squid)
    udp 0 0 0.0.0.0:3401 0.0.0.0:* 0 1835 1052/(squid)
    udp 0 0 0.0.0.0:4827 0.0.0.0:* 0 1834 1052/(squid)
    udp 0 0 0.0.0.0:111 0.0.0.0:* 0 1009 744/portmap

    The nmap result:
    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Host (200.201.202.203) appears to be up ... good.
    Initiating Connect() Scan against 200-201-202-203
    Adding open port 80/tcp
    The Connect() Scan took 0 seconds to scan 1 ports.
    Interesting ports on (200.201.202.203):
    Port State Service
    80/tcp open http

    Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

    Thanks by help

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    hum, do you have a iptables redirect running on that? redirecting port 80 to squid...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    Well the service in question would be "Pinger". It requires the use of a webserver and may just be providing one. Kill that process and then run nmap.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  7. #7
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    Thanks by help, but i kill the pinger and the nmap continue showing port 80. There isn't iptables redirect too.

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    ok, that is odd.
    Did you read all netfilters entries on that machine? no redirect - ok, nat? mangle?

    if not, try to run an netstat from an external disk (a trusted one). if you got a rootkit, netstat,ps and top commands are compromised.....
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    If its not pinger then the only other thing i would imagine it to be, is squid. Your best bet would be to kill processes and nmap afterwards to find the culprit. May not be the fastest or easiest way but its almost guaranteed to work.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  10. #10
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    You might just grab the 'lsof' utility and run it. It can tell you what service is actually using the port. The details are in the man pages, there are also plenty of tutorials for it on the net.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •