Re: Port 80 open without WebServer

From: David Roman Esteban (droman_at_plcendesa.com)
Date: 07/02/04

Next message: Hamish Stanaway: "RE: Port 80 open without WebServer"

Previous message: Michael Gale: "Re: Comparative Evaluations Of Firewall Products"
In reply to: Paulo: "Re: Port 80 open without WebServer"
Next in thread: BANIER Jeremie: "RE: Port 80 open without WebServer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 02 Jul 2004 07:52:51 +0200
To: Paulo <listassec@yahoo.com>

what you see is the web server from the speedstream, is the
configuration web server, you have it "closed" (not allowed to configure
from outside network), but the port remains open, I don't know if newer
versions of the firmware solved this problem, but is a known problem

Best regards
David Roman Esteban

Paulo escribió:

>Thanks by help.
>
>Host A:
>- The computer where i'm running the tests with nessus
>and nmap.
>- IP 200.200.200.201
>
>Router R1:
>- Router ADSL - does the connection of the host A with
>the internet.
>- IP 200.200.200.202
>
>Host B:
>- The server under investigation, receive the tests
>with nessus and nmap.
>- Linux RedHat/Conectiva 8
>- IP 200.200.201.201
>- Services running: Samba, Squid, Atalk, Postfix,
>Iptables, Snort, SSH, i haven't APACHE installed.
>- The iptables is set to drop all connection, with
>exception of the SSH become from host A.
>- In iptables has not redirect to port 80.
>
>Router R2:
>- Router ADSL - does the connection of the host B with
>the internet.
>- SpeedStream model 5660
>- IP 200.200.201.202
>
>The Problem:
>Ran the nessus from host A against host B, and i
>received an Security Alert information that port
>80/tcp was opened and that a unknown service was
>running.
>
>I started the investigation and ran the follows
>commands on host B:
>netstat -tupan ( doesn't show port 80 )
>lsof -i ( doesn't show port 80 )
>fuser -n tcp 80 ( doesn't show nothing )
>tcpdump dst port 80 ( there aren't traffic in this
>port )
>chkrootkit ( doesn't detect nothing )
>clamav ( doesn't find virus )
>Replace the nestat for other secure and ran again the
>netstat -tupan, and the result was same.
>
>- I Disabled the port 80/tcp and 80/udp on
>/etc/services and restart host B.
>
>I tried an telnet to port 80 and happen this:
>
>Trying 200.200.201.201 ....
>Connected to 200.200.201.201.
>Escape character is '^]'.
>
>I did: GET / HTTP / 1.1
>Then a short time, the i receveid the message.
>
>Connection closed by foreign host.
>
>On host A, I ran the nmap against the host B using the
>follow command:
>nmap -vv -P0 -p 80-80 -sT 200.200.201.201
>
>I received that port 80/tcp was opened by http
>service.
>
>Then, i did the follow test, unpluged the host B of
>the router. On host A, I ran the same command of the
>nmap, against the host B IP and the result was that
>port 80 was opened. But how, if the host was unpluged
>of the internet.
>
>Then, yet with host B out of the internet, I ran the
>nmap command against router R2 IP and the result was
>that port 80 was opened too.
>
>I don't understand that what's happening, anyone can
>help me?
>
>Follow the results of the netstat -tupan and ps ax
>commands.
>
>Result of the nestat -tupan:
>
>Conexões Internet Ativas (servidores e estabelecidas)
>Proto Recv-Q Send-Q Endereço Local Endereço
>Remoto Estado PID/Program name
>tcp 0 0 192.168.100.1:548 0.0.0.0:*
> OUÇA 2069/afpd
>tcp 0 0 192.168.100.1:139 0.0.0.0:*
> OUÇA 1895/smbd
>tcp 0 0 0.0.0.0:22 0.0.0.0:*
> OUÇA 1008/sshd
>tcp 0 0 192.168.100.1:3128 0.0.0.0:*
> OUÇA 2149/(squid)
>tcp 0 0 192.168.100.1:25 0.0.0.0:*
> OUÇA 1675/master
>tcp 0 0 127.0.0.1:25 0.0.0.0:*
> OUÇA 1675/master
>tcp 0 0 127.0.0.1:32898
>127.0.0.1:32897 ESTABELECIDA2149/(squid)
>tcp 0 0 127.0.0.1:32897
>127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth)
>tcp 0 0 127.0.0.1:32900
>127.0.0.1:32899 ESTABELECIDA2149/(squid)
>tcp 0 0 192.168.100.1:548
>192.168.100.3:49155 ESTABELECIDA2247/afpd
>tcp 0 0 127.0.0.1:32899
>127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth)
>tcp 0 48 200.200.201.201:22
>200.200.200.201:32806 ESTABELECIDA1399/sshd
>tcp 0 0 192.168.100.1:139
>192.168.100.6:1027 ESTABELECIDA2203/smbd
>tcp 0 0 127.0.0.1:32902
>127.0.0.1:32901 ESTABELECIDA2149/(squid)
>tcp 0 0 192.168.100.1:548
>192.168.100.5:49155 ESTABELECIDA2330/afpd
>tcp 0 0 127.0.0.1:32901
>127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth)
>tcp 0 0 127.0.0.1:32904
>127.0.0.1:32903 ESTABELECIDA2149/(squid)
>tcp 0 0 127.0.0.1:32903
>127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth)
>tcp 0 0 127.0.0.1:32906
>127.0.0.1:32905 ESTABELECIDA2149/(squid)
>tcp 0 0 127.0.0.1:32905
>127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth)
>tcp 0 0 192.168.100.1:139
>192.168.100.7:1233 ESTABELECIDA1951/smbd
>udp 0 0 192.168.100.1:137 0.0.0.0:*
> 1908/nmbd
>udp 0 0 0.0.0.0:137 0.0.0.0:*
> 1908/nmbd
>udp 0 0 192.168.100.1:138 0.0.0.0:*
> 1908/nmbd
>udp 0 0 0.0.0.0:138 0.0.0.0:*
> 1908/nmbd
>udp 0 0 127.0.0.1:32786 0.0.0.0:*
> 1951/smbd
>udp 0 0 127.0.0.1:32791
>127.0.0.1:32792 ESTABELECIDA2156/(pinger)
>udp 0 0 127.0.0.1:32792
>127.0.0.1:32791 ESTABELECIDA2149/(squid)
>udp 0 0 127.0.0.1:32793 0.0.0.0:*
> 2203/smbd
>udp 0 0 0.0.0.0:32804 0.0.0.0:*
> 2149/(squid)
>
>Result of the ps ax:
>
> 4 ? SW 0:00 [kswapd]
> 5 ? SW 0:00 [bdflush]
> 6 ? SW 0:00 [kupdated]
> 7 ? SW< 0:00 [mdrecoveryd]
> 11 ? SW 0:02 [kjournald]
> 129 ? SW 0:00 [khubd]
> 256 ? SW 0:00 [kjournald]
> 257 ? SW 0:00 [kjournald]
> 701 ? SW 0:00 [eth0]
> 782 ? SW 0:00 [eth1]
> 868 ? S 0:00 syslogd -m 0
> 880 ? S 0:00 klogd
> 968 ? S 0:00 /usr/sbin/atd
> 988 ? S 0:00 crond
> 1008 ? S 0:00 /usr/sbin/sshd
> 1133 ttyS0 S 0:00 gpm -t ms
> 1314 ? R 0:08 /usr/bin/snort -d -D -i
>eth0 -p -l /var/log/snort -u
> 1319 tty1 S 0:00 /sbin/mingetty tty1
> 1320 tty2 S 0:00 /sbin/mingetty tty2
> 1321 tty3 S 0:00 /sbin/mingetty tty3
> 1322 tty4 S 0:00 /sbin/mingetty tty4
> 1323 tty5 S 0:00 /sbin/mingetty tty5
> 1324 tty6 S 0:00 /sbin/mingetty tty6
> 1399 ? S 0:00 /usr/sbin/sshd
> 1401 ? S 0:01 /usr/sbin/sshd
> 1402 pts/0 S 0:00 -bash
> 1415 pts/0 S 0:00 su
> 1416 pts/0 S 0:00 bash
> 1675 ? S 0:00 /usr/lib/postfix/master
> 1682 ? S 0:00 pickup -l -t fifo -u
> 1683 ? S 0:00 qmgr -l -t fifo -u
> 1895 ? S 0:00 smbd -D
> 1908 ? S 0:00 nmbd -D
> 1909 ? S 0:00 nmbd -D
> 1951 ? S 0:04 smbd -D
> 2043 ? S 0:00 atalkd
> 2056 ? S 0:00 papd
> 2069 ? S 0:00 afpd -c 50 -n sp
> 2147 ? S 0:00 /usr/bin/squid
> 2149 ? S 0:00 (squid)
> 2150 ? S 0:00 (ncsa_auth)
>/etc/squid/squid_passwd
> 2151 ? S 0:00 (ncsa_auth)
>/etc/squid/squid_passwd
> 2152 ? S 0:00 (ncsa_auth)
>/etc/squid/squid_passwd
> 2153 ? S 0:00 (ncsa_auth)
>/etc/squid/squid_passwd
> 2154 ? S 0:00 (ncsa_auth)
>/etc/squid/squid_passwd
> 2155 ? S 0:00 (unlinkd)
> 2156 ? S 0:00 (pinger)
> 2203 ? S 0:01 smbd -D
> 2247 ? S 0:00 afpd -c 50 -n sp
> 2316 ? S 0:00 smtp -t unix -u
> 2318 pts/0 R 0:00 ps ax
>
>
>--- Nelson Santos <nsantos@gmail.com> wrote:
>
>
>>Hi Paulo,
>>
>>Did you try to connect to the port using Telnet
>>(telnet localhost 80)?
>>How about using nmap
>>(nmap -sV -p 80 localhost). This will try to connect
>>to the service
>>and check its version.
>>
>>Nelson
>>
>>On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo
>><listassec@yahoo.com> wrote:
>>
>>
>>>Hi,
>>>
>>>I runned the Nessus on a Redhat/Conectiva 9 and i
>>>received the alert:
>>>
>>>Security Note: Port: www-http (80/tcp).
>>>
>>>I don't runnig http server (apache) and in netstat
>>>-anp don't show port 80. I run also chkrootkit and
>>>
>>>
>>it
>>
>>
>>>detect nothing. I run clamav and it detect nothing
>>>too.
>>>
>>>Anyone can help me?
>>>
>>>Thanks
>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>New and Improved Yahoo! Mail - Send 10MB messages!
>>>http://promotions.yahoo.com/new_mail
>>>
>>>
>>>
>>>
>---------------------------------------------------------------------------
>
>
>>>Ethical Hacking at the InfoSec Institute. Mention
>>>
>>>
>>this ad and get $545 off
>>
>>
>>>any course! All of our class sizes are guaranteed
>>>
>>>
>>to be 10 students or less
>>
>>
>>>to facilitate one-on-one interaction with one of
>>>
>>>
>>our expert instructors.
>>
>>
>>>Attend a course taught by an expert instructor
>>>
>>>
>>with years of in-the-field
>>
>>
>>>pen testing experience in our state of the art
>>>
>>>
>>hacking lab. Master the skills
>>
>>
>>>of an Ethical Hacker to better assess the security
>>>
>>>
>>of your organization.
>>
>>
>>>Visit us at:
>>>
>>>
>>>
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
>
>----------------------------------------------------------------------------
>
>
>>>
>>>
>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>http://promotions.yahoo.com/new_mail
>
>---------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instructors.
>Attend a course taught by an expert instructor with years of in-the-field
>pen testing experience in our state of the art hacking lab. Master the skills
>of an Ethical Hacker to better assess the security of your organization.
>Visit us at:
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>----------------------------------------------------------------------------
>
>
>
>
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Next message: Hamish Stanaway: "RE: Port 80 open without WebServer"

Previous message: Michael Gale: "Re: Comparative Evaluations Of Firewall Products"
In reply to: Paulo: "Re: Port 80 open without WebServer"
Next in thread: BANIER Jeremie: "RE: Port 80 open without WebServer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Firewall Scan
... nmap scan of just port 5900 and then I'd look through that to see what's ... wonder if they are looking for something that nmap does to the header. ... 1 IP address (1 host up) scanned in 0.361 seconds ... packets transmitted, 1 packets received, 0% packet loss ...
(Pen-Test)
Re: Port 80 open without WebServer
... listening in port 80. ... are not private IPs so you could be scanning a host outside your net. ... > with nessus and nmap. ... I ran the same command of the ...
(Security-Basics)
Re: Is my home computer at risk knowing that nmap says...
... It dawns on me - I looked at port 80 - what do the other ports look like? ... This host won't send a FOAD packet - it just ignores things. ... OK - nothing wrong with your host - now find out what it is that nmap ... My guess is that it is something funny set up on the NAT ...
(comp.os.linux.security)
Re: External drives not installing or working properly on USB
... with the USB system before but these disappearred when I disabled the ... Only one of the five host controllers is connected to the 6 ... work on any port on the PC? ... operating system to recognise the four additional 'drives'. ...
(microsoft.public.windowsxp.general)
Re: A firewall wont stop this one
... On top of that I implement IPF on each host ... >> for further access control to limit NFS, ... By restricting access to the NFS server. ... >> via port filtering that only allowed specific hosts rather than all. ...
(alt.computer.security)