Re: Port 80 open without WebServer
From: Nelson Santos (nsantos_at_gmail.com)
Date: 07/01/04
- Previous message: Carlos Bergero: "Re: Port 80 open without WebServer"
- In reply to: Paulo: "Re: Port 80 open without WebServer"
- Next in thread: Nelson Santos: "Re: Port 80 open without WebServer"
- Reply: Nelson Santos: "Re: Port 80 open without WebServer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 Jul 2004 16:30:34 -0300 To: Paulo <listassec@yahoo.com>
Are you using transparent proxy? Because if you are the squid is
listening in port 80. I assume you're using Speedy Business so those
IP were assigned to you by Telefonica, right? I'm asking because those
are not private IPs so you could be scanning a host outside your net.
Nelson
On Thu, 1 Jul 2004 09:50:18 -0700 (PDT), Paulo <listassec@yahoo.com> wrote:
>
> Thanks by help.
>
> Host A:
> - The computer where i'm running the tests with nessus
> and nmap.
> - IP 200.200.200.201
>
> Router R1:
> - Router ADSL - does the connection of the host A with
> the internet.
> - IP 200.200.200.202
>
> Host B:
> - The server under investigation, receive the tests
> with nessus and nmap.
> - Linux RedHat/Conectiva 8
> - IP 200.200.201.201
> - Services running: Samba, Squid, Atalk, Postfix,
> Iptables, Snort, SSH, i haven't APACHE installed.
> - The iptables is set to drop all connection, with
> exception of the SSH become from host A.
> - In iptables has not redirect to port 80.
>
> Router R2:
> - Router ADSL - does the connection of the host B with
> the internet.
> - SpeedStream model 5660
> - IP 200.200.201.202
>
> The Problem:
> Ran the nessus from host A against host B, and i
> received an Security Alert information that port
> 80/tcp was opened and that a unknown service was
> running.
>
> I started the investigation and ran the follows
> commands on host B:
> netstat -tupan ( doesn't show port 80 )
> lsof -i ( doesn't show port 80 )
> fuser -n tcp 80 ( doesn't show nothing )
> tcpdump dst port 80 ( there aren't traffic in this
> port )
> chkrootkit ( doesn't detect nothing )
> clamav ( doesn't find virus )
> Replace the nestat for other secure and ran again the
> netstat -tupan, and the result was same.
>
> - I Disabled the port 80/tcp and 80/udp on
> /etc/services and restart host B.
>
> I tried an telnet to port 80 and happen this:
>
> Trying 200.200.201.201 ....
> Connected to 200.200.201.201.
> Escape character is '^]'.
>
> I did: GET / HTTP / 1.1
> Then a short time, the i receveid the message.
>
> Connection closed by foreign host.
>
> On host A, I ran the nmap against the host B using the
> follow command:
> nmap -vv -P0 -p 80-80 -sT 200.200.201.201
>
> I received that port 80/tcp was opened by http
> service.
>
> Then, i did the follow test, unpluged the host B of
> the router. On host A, I ran the same command of the
> nmap, against the host B IP and the result was that
> port 80 was opened. But how, if the host was unpluged
> of the internet.
>
> Then, yet with host B out of the internet, I ran the
> nmap command against router R2 IP and the result was
> that port 80 was opened too.
>
> I don't understand that what's happening, anyone can
> help me?
>
> Follow the results of the netstat -tupan and ps ax
> commands.
>
> Result of the nestat -tupan:
>
> Conex�es Internet Ativas (servidores e estabelecidas)
> Proto Recv-Q Send-Q Endere�o Local Endere�o
> Remoto Estado PID/Program name
> tcp 0 0 192.168.100.1:548 0.0.0.0:*
> OU�A 2069/afpd
> tcp 0 0 192.168.100.1:139 0.0.0.0:*
> OU�A 1895/smbd
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> OU�A 1008/sshd
> tcp 0 0 192.168.100.1:3128 0.0.0.0:*
> OU�A 2149/(squid)
> tcp 0 0 192.168.100.1:25 0.0.0.0:*
> OU�A 1675/master
> tcp 0 0 127.0.0.1:25 0.0.0.0:*
> OU�A 1675/master
> tcp 0 0 127.0.0.1:32898
> 127.0.0.1:32897 ESTABELECIDA2149/(squid)
> tcp 0 0 127.0.0.1:32897
> 127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth)
> tcp 0 0 127.0.0.1:32900
> 127.0.0.1:32899 ESTABELECIDA2149/(squid)
> tcp 0 0 192.168.100.1:548
> 192.168.100.3:49155 ESTABELECIDA2247/afpd
> tcp 0 0 127.0.0.1:32899
> 127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth)
> tcp 0 48 200.200.201.201:22
> 200.200.200.201:32806 ESTABELECIDA1399/sshd
> tcp 0 0 192.168.100.1:139
> 192.168.100.6:1027 ESTABELECIDA2203/smbd
> tcp 0 0 127.0.0.1:32902
> 127.0.0.1:32901 ESTABELECIDA2149/(squid)
> tcp 0 0 192.168.100.1:548
> 192.168.100.5:49155 ESTABELECIDA2330/afpd
> tcp 0 0 127.0.0.1:32901
> 127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth)
> tcp 0 0 127.0.0.1:32904
> 127.0.0.1:32903 ESTABELECIDA2149/(squid)
> tcp 0 0 127.0.0.1:32903
> 127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth)
> tcp 0 0 127.0.0.1:32906
> 127.0.0.1:32905 ESTABELECIDA2149/(squid)
> tcp 0 0 127.0.0.1:32905
> 127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth)
> tcp 0 0 192.168.100.1:139
> 192.168.100.7:1233 ESTABELECIDA1951/smbd
> udp 0 0 192.168.100.1:137 0.0.0.0:*
> 1908/nmbd
> udp 0 0 0.0.0.0:137 0.0.0.0:*
> 1908/nmbd
> udp 0 0 192.168.100.1:138 0.0.0.0:*
> 1908/nmbd
> udp 0 0 0.0.0.0:138 0.0.0.0:*
> 1908/nmbd
> udp 0 0 127.0.0.1:32786 0.0.0.0:*
> 1951/smbd
> udp 0 0 127.0.0.1:32791
> 127.0.0.1:32792 ESTABELECIDA2156/(pinger)
> udp 0 0 127.0.0.1:32792
> 127.0.0.1:32791 ESTABELECIDA2149/(squid)
> udp 0 0 127.0.0.1:32793 0.0.0.0:*
> 2203/smbd
> udp 0 0 0.0.0.0:32804 0.0.0.0:*
> 2149/(squid)
>
> Result of the ps ax:
>
> 4 ? SW 0:00 [kswapd]
> 5 ? SW 0:00 [bdflush]
> 6 ? SW 0:00 [kupdated]
> 7 ? SW< 0:00 [mdrecoveryd]
> 11 ? SW 0:02 [kjournald]
> 129 ? SW 0:00 [khubd]
> 256 ? SW 0:00 [kjournald]
> 257 ? SW 0:00 [kjournald]
> 701 ? SW 0:00 [eth0]
> 782 ? SW 0:00 [eth1]
> 868 ? S 0:00 syslogd -m 0
> 880 ? S 0:00 klogd
> 968 ? S 0:00 /usr/sbin/atd
> 988 ? S 0:00 crond
> 1008 ? S 0:00 /usr/sbin/sshd
> 1133 ttyS0 S 0:00 gpm -t ms
> 1314 ? R 0:08 /usr/bin/snort -d -D -i
> eth0 -p -l /var/log/snort -u
> 1319 tty1 S 0:00 /sbin/mingetty tty1
> 1320 tty2 S 0:00 /sbin/mingetty tty2
> 1321 tty3 S 0:00 /sbin/mingetty tty3
> 1322 tty4 S 0:00 /sbin/mingetty tty4
> 1323 tty5 S 0:00 /sbin/mingetty tty5
> 1324 tty6 S 0:00 /sbin/mingetty tty6
> 1399 ? S 0:00 /usr/sbin/sshd
> 1401 ? S 0:01 /usr/sbin/sshd
> 1402 pts/0 S 0:00 -bash
> 1415 pts/0 S 0:00 su
> 1416 pts/0 S 0:00 bash
> 1675 ? S 0:00 /usr/lib/postfix/master
> 1682 ? S 0:00 pickup -l -t fifo -u
> 1683 ? S 0:00 qmgr -l -t fifo -u
> 1895 ? S 0:00 smbd -D
> 1908 ? S 0:00 nmbd -D
> 1909 ? S 0:00 nmbd -D
> 1951 ? S 0:04 smbd -D
> 2043 ? S 0:00 atalkd
> 2056 ? S 0:00 papd
> 2069 ? S 0:00 afpd -c 50 -n sp
> 2147 ? S 0:00 /usr/bin/squid
> 2149 ? S 0:00 (squid)
> 2150 ? S 0:00 (ncsa_auth)
> /etc/squid/squid_passwd
> 2151 ? S 0:00 (ncsa_auth)
> /etc/squid/squid_passwd
> 2152 ? S 0:00 (ncsa_auth)
> /etc/squid/squid_passwd
> 2153 ? S 0:00 (ncsa_auth)
> /etc/squid/squid_passwd
> 2154 ? S 0:00 (ncsa_auth)
> /etc/squid/squid_passwd
> 2155 ? S 0:00 (unlinkd)
> 2156 ? S 0:00 (pinger)
> 2203 ? S 0:01 smbd -D
> 2247 ? S 0:00 afpd -c 50 -n sp
> 2316 ? S 0:00 smtp -t unix -u
> 2318 pts/0 R 0:00 ps ax
>
>
> --- Nelson Santos <nsantos@gmail.com> wrote:
> > Hi Paulo,
> >
> > Did you try to connect to the port using Telnet
> > (telnet localhost 80)?
> > How about using nmap
> > (nmap -sV -p 80 localhost). This will try to connect
> > to the service
> > and check its version.
> >
> > Nelson
> >
> > On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo
> > <listassec@yahoo.com> wrote:
> > >
> > > Hi,
> > >
> > > I runned the Nessus on a Redhat/Conectiva 9 and i
> > > received the alert:
> > >
> > > Security Note: Port: www-http (80/tcp).
> > >
> > > I don't runnig http server (apache) and in netstat
> > > -anp don't show port 80. I run also chkrootkit and
> > it
> > > detect nothing. I run clamav and it detect nothing
> > > too.
> > >
> > > Anyone can help me?
> > >
> > > Thanks
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > New and Improved Yahoo! Mail - Send 10MB messages!
> > > http://promotions.yahoo.com/new_mail
> > >
> > >
> >
> ---------------------------------------------------------------------------
> > > Ethical Hacking at the InfoSec Institute. Mention
> > this ad and get $545 off
> > > any course! All of our class sizes are guaranteed
> > to be 10 students or less
> > > to facilitate one-on-one interaction with one of
> > our expert instructors.
> > > Attend a course taught by an expert instructor
> > with years of in-the-field
> > > pen testing experience in our state of the art
> > hacking lab. Master the skills
> > > of an Ethical Hacker to better assess the security
> > of your organization.
> > > Visit us at:
> > >
> >
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > >
> >
> ----------------------------------------------------------------------------
> > >
> > >
> >
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
>
>
> http://promotions.yahoo.com/new_mail
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Carlos Bergero: "Re: Port 80 open without WebServer"
- In reply to: Paulo: "Re: Port 80 open without WebServer"
- Next in thread: Nelson Santos: "Re: Port 80 open without WebServer"
- Reply: Nelson Santos: "Re: Port 80 open without WebServer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
