Port 80 listen without WebServer? - Page 4
Page 4 of 4 FirstFirst ... 234
Results 31 to 34 of 34

Thread: Port 80 listen without WebServer?

  1. #31
    Junior Member
    Join Date
    Dec 2003
    Posts
    12
    Maybe have a try with uptime.netcraft.com with your hostname and see if you get any info.

  2. #32
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    What kind of router do you have? Most home routers have a webmin page to configure it with. examples of this are linksys, netgear, d-link, etc...

    regardless, go to one of your computers and check for your ip address.

    Windows: ipconfig \all

    linux: ifconfig -a

    If your ip is 192.168.1.100, then go to a browser and try to navigate to 192.168.1.1 or 192.168.1.254.

    if your ip is 192.168.0.100 then do the same thing like 192.168.0.1 and 192.168.0.254.

    When (and if) you get to your router config page, remove any rules that are opening port 80 and turn of the routers config from internet function. If you need help feel free to ask more if anything is unclear.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  3. #33
    Junior Member
    Join Date
    Aug 2003
    Posts
    25
    Thanks by help for all, follow the complete description of the situation.

    Host A:
    - The computer where i'm running the tests with nessus and nmap.
    - IP 200.200.200.201

    Router R1:
    - Router ADSL - does the connection of the host A with the internet.
    - IP 200.200.200.202

    Host B:
    - The server under investigation, receive the tests with nessus and nmap.
    - Linux RedHat/Conectiva 8
    - IP 200.200.201.201
    - Services running: Samba, Squid, Atalk, Postfix, Iptables, Snort, SSH, i haven't APACHE installed.
    - The iptables is set to drop all connection, with exception of the SSH become from host A.
    - In iptables has not redirect to port 80.

    Router R2:
    - Router ADSL - does the connection of the host B with the internet.
    - IP 200.200.201.202

    The Problem:
    Ran the nessus from host A against host B, and i received an Security Alert information that port 80/tcp was opened and that a unknown service was running.

    I started the investigation and ran the follows commands on host B:
    netstat -tupan ( doesn't show port 80 )
    lsof -i ( doesn't show port 80 )
    fuser -n tcp 80 ( doesn't show nothing )
    tcpdump dst port 80 ( there aren't traffic in this port )
    chkrootkit ( doesn't detect nothing )
    clamav ( doesn't find virus )
    Replace the nestat for other secure and ran again the netstat -tupan, and the result was same.

    - I Disabled the port 80/tcp and 80/udp on /etc/services and restart host B.

    I tried an telnet to port 80 and happen this:

    Trying 200.200.201.201 ....
    Connected to 200.200.201.201.
    Escape character is '^]'.

    I did: GET / HTTP / 1.1
    Then a short time, the i receveid the message.

    Connection closed by foreign host.

    On host A, I ran the nmap against the host B using the follow command:
    nmap -vv -P0 -p 80-80 -sT 200.200.201.201

    I received that port 80/tcp was opened by http service.

    Then, i did the follow test, unpluged the host B of the router. On host A, I ran the same command of the nmap, against the host B IP and the result was that port 80 was opened. But how, if the host was unpluged of the internet.

    Then, yet with host B out of the internet, I ran the nmap command against router R2 IP and the result was that port 80 was opened too.

    I don't understand that what's happening, anyone can help me?

    Follow the results of the netstat -tupan and ps ax commands.

    Result of the nestat -tupan:

    Conexões Internet Ativas (servidores e estabelecidas)
    Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado PID/Program name
    tcp 0 0 192.168.100.1:548 0.0.0.0:* OUÇA 2069/afpd
    tcp 0 0 192.168.100.1:139 0.0.0.0:* OUÇA 1895/smbd
    tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 1008/sshd
    tcp 0 0 192.168.100.1:3128 0.0.0.0:* OUÇA 2149/(squid)
    tcp 0 0 192.168.100.1:25 0.0.0.0:* OUÇA 1675/master
    tcp 0 0 127.0.0.1:25 0.0.0.0:* OUÇA 1675/master
    tcp 0 0 127.0.0.1:32898 127.0.0.1:32897 ESTABELECIDA2149/(squid)
    tcp 0 0 127.0.0.1:32897 127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth)
    tcp 0 0 127.0.0.1:32900 127.0.0.1:32899 ESTABELECIDA2149/(squid)
    tcp 0 0 192.168.100.1:548 192.168.100.3:49155 ESTABELECIDA2247/afpd
    tcp 0 0 127.0.0.1:32899 127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth)
    tcp 0 48 200.200.201.201:22 200.200.200.201:32806 ESTABELECIDA1399/sshd
    tcp 0 0 192.168.100.1:139 192.168.100.6:1027 ESTABELECIDA2203/smbd
    tcp 0 0 127.0.0.1:32902 127.0.0.1:32901 ESTABELECIDA2149/(squid)
    tcp 0 0 192.168.100.1:548 192.168.100.5:49155 ESTABELECIDA2330/afpd
    tcp 0 0 127.0.0.1:32901 127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth)
    tcp 0 0 127.0.0.1:32904 127.0.0.1:32903 ESTABELECIDA2149/(squid)
    tcp 0 0 127.0.0.1:32903 127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth)
    tcp 0 0 127.0.0.1:32906 127.0.0.1:32905 ESTABELECIDA2149/(squid)
    tcp 0 0 127.0.0.1:32905 127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth)
    tcp 0 0 192.168.100.1:139 192.168.100.7:1233 ESTABELECIDA1951/smbd
    udp 0 0 192.168.100.1:137 0.0.0.0:* 1908/nmbd
    udp 0 0 0.0.0.0:137 0.0.0.0:* 1908/nmbd
    udp 0 0 192.168.100.1:138 0.0.0.0:* 1908/nmbd
    udp 0 0 0.0.0.0:138 0.0.0.0:* 1908/nmbd
    udp 0 0 127.0.0.1:32786 0.0.0.0:* 1951/smbd
    udp 0 0 127.0.0.1:32791 127.0.0.1:32792 ESTABELECIDA2156/(pinger)
    udp 0 0 127.0.0.1:32792 127.0.0.1:32791 ESTABELECIDA2149/(squid)
    udp 0 0 127.0.0.1:32793 0.0.0.0:* 2203/smbd
    udp 0 0 0.0.0.0:32804 0.0.0.0:* 2149/(squid)

    Result of the ps ax:

    4 ? SW 0:00 [kswapd]
    5 ? SW 0:00 [bdflush]
    6 ? SW 0:00 [kupdated]
    7 ? SW< 0:00 [mdrecoveryd]
    11 ? SW 0:02 [kjournald]
    129 ? SW 0:00 [khubd]
    256 ? SW 0:00 [kjournald]
    257 ? SW 0:00 [kjournald]
    701 ? SW 0:00 [eth0]
    782 ? SW 0:00 [eth1]
    868 ? S 0:00 syslogd -m 0
    880 ? S 0:00 klogd
    968 ? S 0:00 /usr/sbin/atd
    988 ? S 0:00 crond
    1008 ? S 0:00 /usr/sbin/sshd
    1133 ttyS0 S 0:00 gpm -t ms
    1314 ? R 0:08 /usr/bin/snort -d -D -i eth0 -p -l /var/log/snort -u
    1319 tty1 S 0:00 /sbin/mingetty tty1
    1320 tty2 S 0:00 /sbin/mingetty tty2
    1321 tty3 S 0:00 /sbin/mingetty tty3
    1322 tty4 S 0:00 /sbin/mingetty tty4
    1323 tty5 S 0:00 /sbin/mingetty tty5
    1324 tty6 S 0:00 /sbin/mingetty tty6
    1399 ? S 0:00 /usr/sbin/sshd
    1401 ? S 0:01 /usr/sbin/sshd
    1402 pts/0 S 0:00 -bash
    1415 pts/0 S 0:00 su
    1416 pts/0 S 0:00 bash
    1675 ? S 0:00 /usr/lib/postfix/master
    1682 ? S 0:00 pickup -l -t fifo -u
    1683 ? S 0:00 qmgr -l -t fifo -u
    1895 ? S 0:00 smbd -D
    1908 ? S 0:00 nmbd -D
    1909 ? S 0:00 nmbd -D
    1951 ? S 0:04 smbd -D
    2043 ? S 0:00 atalkd
    2056 ? S 0:00 papd
    2069 ? S 0:00 afpd -c 50 -n sp
    2147 ? S 0:00 /usr/bin/squid
    2149 ? S 0:00 (squid)
    2150 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd
    2151 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd
    2152 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd
    2153 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd
    2154 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd
    2155 ? S 0:00 (unlinkd)
    2156 ? S 0:00 (pinger)
    2203 ? S 0:01 smbd -D
    2247 ? S 0:00 afpd -c 50 -n sp
    2316 ? S 0:00 smtp -t unix -u
    2318 pts/0 R 0:00 ps ax

  4. #34
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    If just your adsl-router is plugged (no other host behind) and nmap from internet is still showing port 80 is opened, one of bellow is happening:

    a) your adsl-router (as stated before) has a webmin interface. ask your isp (or router vendor about that)
    b) your ISP is blocking port 80, but instead to deny (that it would show "filtered" status), ISP is doing some kind of trick to screw you.

    Please be aware that some ISPs (adsl and cable ones) dont allow you to run any service bellow port 1024 on home connections.

    you can check this by asking a friend that has the same kind of connection to allow you scan his computer.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides