Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 34

Thread: Port 80 listen without WebServer?

  1. #21
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hmm, go to http://www.chkrootkit.org/ and get chkrootkit and run it. Just to be sure, although, i think that tedob has hit the point here. Ive not seen an understandable answer here to what tedob has said. Are you scanning the boxes in the internal network, using the internal lan ip, or the real ip?? It would help to understand your network setup a bit better.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #22
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    The target is in the internet and i´m scanning the real IP from internet on eth0, but the target is behind adsl-router.

    thanks

  3. #23
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    if both scan results are equal (scanning internet ip and scan internal ip address), i cant be the adsl-router. Port 80 must be open at host.
    However, im confused. You've mencioned the "port is filtered or opened". Those 2 status are VERY diferent.
    "port is opened" means that there is a process accepting connections at target host
    "port is filtered" means that nmap couldnt get a response from host and its assuming that a firewall or equivalent is blocking requests to that port. I.E. if you configure netfilter with -J DROP on port 80, port will appear as "filtered".
    if port is flaged as "opened", some one is accepting connections there. But if no process is listen to that port...only idea that come is a port redirect.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  4. #24
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    The port is opened and i have a iptables in this host with follow rule: iptables -P INPUT DROP

  5. #25
    Now for the simple answer. If you're scanning from across the internet and port 80 is showing as open, don't worry about it. Lots of ISP's use transparent caching on port 80, and this is why port 80 appears to be open when in fact it's not.

    To prove that port 80 isn't really open, try starting apache on the machine you scanned. If 80 is in use, apache will complain that it can't bind to the port and will refuse to run. If it starts and you can retrieve web pages from that PC, you can be sure it was appearing as open because of transparent caching.

    To be doubly sure, you could use the perl script at www.cgi101.com that returns all your environment variables and view the page from the PC you used to scan from. If you don't understand what they mean, post the environment variables here, as transparent caching is very easy to spot from environment variables.

  6. #26
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    Only apache can be used for this test. I haven't apache installed on host, but i have others services, i.e. postfix, squid, samba.

    Other information, i disabled ports 80/tcp and 80/udp in /etc/services

    Thanks by help

  7. #27
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    hacinn. turn OFF your computer and leave the router turned on. go to someone elses computer and scan your ip address. unless you have set up the router to foward ports every reply the scan gives you will be coming from the router. if you dont have access to a scanner on anothers computer use the browser and go to your ip address: http://XX.XXX.XX.XXX. if you get a login box and you know your computer is turned off you'll have your answer
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #28
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    I unpluged the host target from internet and i leave router turn on. Then i ran nmap against IP address of the host (200.202.204.206), and the result show port 80 open. Then i ran nmap against router IP address and port 80 opened too.


    My Host IP Internet My ADSL-router ADSL-router Target Host Target
    200.201.202.204 -----> 200.201.202.200 ------->INTERNET --------> 200.202.204.205 ------->200.202.204.206
    run nmap port 80 open port 80 open


    I'm crazy

  9. #29
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    ok, if the host isnt there (unpluged from router) the 'open' can only be coming from the router...there is nowhere else fo it to come from. right?

    use the browser on 200.201.202.204 and goto http://200.202.204.206. you'll get a login box. if you know the routers password you can get in.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #30
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    I tried to browse in http://200.202.204.206 and http://200.202.204.205, but the page not cann´t be showed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •