Security Basics mailing list archives
RE: Port 80 open without WebServer
From: Fernando Serto <fernando.serto () memetrics com>
Date: Tue, 13 Jul 2004 14:21:19 +1000
In Australia, most of the ISPs have transparent proxy, so if you try to connect to ANYWHERE on port 80, you'll be able to open a connection. Maybe that's what's going on your country, too. we ran transparent proxy at the office, as well, so from any box on our internal network, we'll have the same "problem" (though, I wouldn't call it a problem). look at this example from my ADSL at home (in Australia): root@skywalker:~# telnet 1.1.1.1 80 Trying 1.1.1.1... Connected to 1.1.1.1. Escape character is '^]'. ^] telnet> q Connection closed. root@skywalker:~# from the firewall at the office (the only box which is not going through the proxy): root@fenestra:~# telnet 1.1.1.1 80 Trying 1.1.1.1... telnet: connect to address 1.1.1.1: Connection timed out root@fenestra:~# as you mentioned, both sites are connected via ADSL. different ISPs? Cheers, Fernando
-----Original Message----- From: Nelson Santos [mailto:nsantos () gmail com] Sent: Friday, 2 July 2004 5:31 AM To: Paulo Cc: security-basics () securityfocus com Subject: Re: Port 80 open without WebServer Are you using transparent proxy? Because if you are the squid is listening in port 80. I assume you're using Speedy Business so those IP were assigned to you by Telefonica, right? I'm asking because those are not private IPs so you could be scanning a host outside your net. Nelson On Thu, 1 Jul 2004 09:50:18 -0700 (PDT), Paulo <listassec () yahoo com> wrote:Thanks by help. Host A: - The computer where i'm running the tests with nessus and nmap. - IP 200.200.200.201 Router R1: - Router ADSL - does the connection of the host A with the internet. - IP 200.200.200.202 Host B: - The server under investigation, receive the tests with nessus and nmap. - Linux RedHat/Conectiva 8 - IP 200.200.201.201 - Services running: Samba, Squid, Atalk, Postfix, Iptables, Snort, SSH, i haven't APACHE installed. - The iptables is set to drop all connection, with exception of the SSH become from host A. - In iptables has not redirect to port 80. Router R2: - Router ADSL - does the connection of the host B with the internet. - SpeedStream model 5660 - IP 200.200.201.202 The Problem: Ran the nessus from host A against host B, and i received an Security Alert information that port 80/tcp was opened and that a unknown service was running. I started the investigation and ran the follows commands on host B: netstat -tupan ( doesn't show port 80 ) lsof -i ( doesn't show port 80 ) fuser -n tcp 80 ( doesn't show nothing ) tcpdump dst port 80 ( there aren't traffic in this port ) chkrootkit ( doesn't detect nothing ) clamav ( doesn't find virus ) Replace the nestat for other secure and ran again the netstat -tupan, and the result was same. - I Disabled the port 80/tcp and 80/udp on /etc/services and restart host B. I tried an telnet to port 80 and happen this: Trying 200.200.201.201 .... Connected to 200.200.201.201. Escape character is '^]'. I did: GET / HTTP / 1.1 Then a short time, the i receveid the message. Connection closed by foreign host. On host A, I ran the nmap against the host B using the follow command: nmap -vv -P0 -p 80-80 -sT 200.200.201.201 I received that port 80/tcp was opened by http service. Then, i did the follow test, unpluged the host B of the router. On host A, I ran the same command of the nmap, against the host B IP and the result was that port 80 was opened. But how, if the host was unpluged of the internet. Then, yet with host B out of the internet, I ran the nmap command against router R2 IP and the result was that port 80 was opened too. I don't understand that what's happening, anyone can help me? Follow the results of the netstat -tupan and ps ax commands. Result of the nestat -tupan: Conex�es Internet Ativas (servidores e estabelecidas) Proto Recv-Q Send-Q Endere�o Local Endere�o Remoto Estado PID/Program name tcp 0 0 192.168.100.1:548 0.0.0.0:* OU�A 2069/afpd tcp 0 0 192.168.100.1:139 0.0.0.0:* OU�A 1895/smbd tcp 0 0 0.0.0.0:22 0.0.0.0:* OU�A 1008/sshd tcp 0 0 192.168.100.1:3128 0.0.0.0:* OU�A 2149/(squid) tcp 0 0 192.168.100.1:25 0.0.0.0:* OU�A 1675/master tcp 0 0 127.0.0.1:25 0.0.0.0:* OU�A 1675/master tcp 0 0 127.0.0.1:32898 127.0.0.1:32897 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32897 127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth) tcp 0 0 127.0.0.1:32900 127.0.0.1:32899 ESTABELECIDA2149/(squid) tcp 0 0 192.168.100.1:548 192.168.100.3:49155 ESTABELECIDA2247/afpd tcp 0 0 127.0.0.1:32899 127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth) tcp 0 48 200.200.201.201:22 200.200.200.201:32806 ESTABELECIDA1399/sshd tcp 0 0 192.168.100.1:139 192.168.100.6:1027 ESTABELECIDA2203/smbd tcp 0 0 127.0.0.1:32902 127.0.0.1:32901 ESTABELECIDA2149/(squid) tcp 0 0 192.168.100.1:548 192.168.100.5:49155 ESTABELECIDA2330/afpd tcp 0 0 127.0.0.1:32901 127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth) tcp 0 0 127.0.0.1:32904 127.0.0.1:32903 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32903 127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth) tcp 0 0 127.0.0.1:32906 127.0.0.1:32905 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32905 127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth) tcp 0 0 192.168.100.1:139 192.168.100.7:1233 ESTABELECIDA1951/smbd udp 0 0 192.168.100.1:137 0.0.0.0:* 1908/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1908/nmbd udp 0 0 192.168.100.1:138 0.0.0.0:* 1908/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 1908/nmbd udp 0 0 127.0.0.1:32786 0.0.0.0:* 1951/smbd udp 0 0 127.0.0.1:32791 127.0.0.1:32792 ESTABELECIDA2156/(pinger) udp 0 0 127.0.0.1:32792 127.0.0.1:32791 ESTABELECIDA2149/(squid) udp 0 0 127.0.0.1:32793 0.0.0.0:* 2203/smbd udp 0 0 0.0.0.0:32804 0.0.0.0:* 2149/(squid) Result of the ps ax: 4 ? SW 0:00 [kswapd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:00 [kupdated] 7 ? SW< 0:00 [mdrecoveryd] 11 ? SW 0:02 [kjournald] 129 ? SW 0:00 [khubd] 256 ? SW 0:00 [kjournald] 257 ? SW 0:00 [kjournald] 701 ? SW 0:00 [eth0] 782 ? SW 0:00 [eth1] 868 ? S 0:00 syslogd -m 0 880 ? S 0:00 klogd 968 ? S 0:00 /usr/sbin/atd 988 ? S 0:00 crond 1008 ? S 0:00 /usr/sbin/sshd 1133 ttyS0 S 0:00 gpm -t ms 1314 ? R 0:08 /usr/bin/snort -d -D -i eth0 -p -l /var/log/snort -u 1319 tty1 S 0:00 /sbin/mingetty tty1 1320 tty2 S 0:00 /sbin/mingetty tty2 1321 tty3 S 0:00 /sbin/mingetty tty3 1322 tty4 S 0:00 /sbin/mingetty tty4 1323 tty5 S 0:00 /sbin/mingetty tty5 1324 tty6 S 0:00 /sbin/mingetty tty6 1399 ? S 0:00 /usr/sbin/sshd 1401 ? S 0:01 /usr/sbin/sshd 1402 pts/0 S 0:00 -bash 1415 pts/0 S 0:00 su 1416 pts/0 S 0:00 bash 1675 ? S 0:00 /usr/lib/postfix/master 1682 ? S 0:00 pickup -l -t fifo -u 1683 ? S 0:00 qmgr -l -t fifo -u 1895 ? S 0:00 smbd -D 1908 ? S 0:00 nmbd -D 1909 ? S 0:00 nmbd -D 1951 ? S 0:04 smbd -D 2043 ? S 0:00 atalkd 2056 ? S 0:00 papd 2069 ? S 0:00 afpd -c 50 -n sp 2147 ? S 0:00 /usr/bin/squid 2149 ? S 0:00 (squid) 2150 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2151 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2152 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2153 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2154 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2155 ? S 0:00 (unlinkd) 2156 ? S 0:00 (pinger) 2203 ? S 0:01 smbd -D 2247 ? S 0:00 afpd -c 50 -n sp 2316 ? S 0:00 smtp -t unix -u 2318 pts/0 R 0:00 ps ax --- Nelson Santos <nsantos () gmail com> wrote:Hi Paulo, Did you try to connect to the port using Telnet (telnet localhost 80)? How about using nmap (nmap -sV -p 80 localhost). This will try to connect to the service and check its version. Nelson On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo <listassec () yahoo com> wrote:Hi, I runned the Nessus on a Redhat/Conectiva 9 and i received the alert: Security Note: Port: www-http (80/tcp). I don't runnig http server (apache) and in netstat -anp don't show port 80. I run also chkrootkit anditdetect nothing. I run clamav and it detect nothing too. Anyone can help me? Thanks __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail-------------------------------------------------------------- -------------Ethical Hacking at the InfoSec Institute. Mentionthis ad and get $545 offany course! All of our class sizes are guaranteedto be 10 students or lessto facilitate one-on-one interaction with one ofour expert instructors.Attend a course taught by an expert instructorwith years of in-the-fieldpen testing experience in our state of the arthacking lab. Master the skillsof an Ethical Hacker to better assess the securityof your organization.Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --- Certain disclaimers and policies apply to all email sent from Memetrics. For the full text of these disclaimers and policies see <a href="http://www.memetrics.com/emailpolicy.html">http://www.memetrics.com/em ailpolicy.html</a> --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Port 80 open without WebServer, (continued)
- Re: Port 80 open without WebServer Hemil (Jul 05)
- Re: Port 80 open without WebServer Paul Kurczaba (Jul 05)
- RE: Port 80 open without WebServer BANIER Jeremie (Jul 01)
- Re: Port 80 open without WebServer pingywon MCSE (Jul 05)
- RE: Port 80 open without WebServer Hamish Stanaway (Jul 05)
- Re: Port 80 open without WebServer Ivan Coric (Jul 05)
- Re: Port 80 open without WebServer Marcus Taylor (Jul 06)
- RE: Port 80 open without WebServer Thomas48 (Jul 06)
- Fw: Port 80 open without WebServer Todd . Bailey (Jul 05)
- Re: Port 80 open without WebServer Webb Wang CS (Jul 05)
- RE: Port 80 open without WebServer Fernando Serto (Jul 13)