Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Port 80 open without WebServer

From: Fernando Serto <fernando.serto () memetrics com>
Date: Tue, 13 Jul 2004 14:21:19 +1000
In Australia, most of the ISPs have transparent proxy, so if you try to
connect to ANYWHERE on port 80, you'll be able to open a connection. Maybe
that's what's going on your country, too.

we ran transparent proxy at the office, as well, so from any box on our
internal network, we'll have the same "problem" (though, I wouldn't call it
a problem).

look at this example from my ADSL at home (in Australia):
root@skywalker:~# telnet 1.1.1.1 80
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
^]
telnet> q
Connection closed.
root@skywalker:~#

from the firewall at the office (the only box which is not going through the
proxy):
root@fenestra:~# telnet 1.1.1.1 80
Trying 1.1.1.1...
telnet: connect to address 1.1.1.1: Connection timed out
root@fenestra:~#

as you mentioned, both sites are connected via ADSL. different ISPs?

Cheers,
Fernando


-----Original Message-----
From: Nelson Santos [mailto:nsantos () gmail com]
Sent: Friday, 2 July 2004 5:31 AM
To: Paulo
Cc: security-basics () securityfocus com
Subject: Re: Port 80 open without WebServer


Are you using transparent proxy? Because if you are the squid is
listening in port 80. I assume you're using Speedy Business so those
IP were assigned to you by Telefonica, right? I'm asking because those
are not private IPs so you could be scanning a host outside your net.


Nelson

On Thu, 1 Jul 2004 09:50:18 -0700 (PDT), Paulo 
<listassec () yahoo com> wrote:


Thanks by help.

Host A:
- The computer where i'm running the tests with nessus
and nmap.
- IP 200.200.200.201

Router R1:
- Router ADSL - does the connection of the host A with
the internet.
- IP 200.200.200.202

Host B:
- The server under investigation, receive the tests
with nessus and nmap.
- Linux RedHat/Conectiva 8
- IP 200.200.201.201
- Services running: Samba, Squid, Atalk, Postfix,
Iptables, Snort, SSH, i haven't APACHE installed.
- The iptables is set to drop all connection, with
exception of the SSH become from host A.
- In iptables has not redirect to port 80.

Router R2:
- Router ADSL - does the connection of the host B with
the internet.
- SpeedStream model 5660
- IP 200.200.201.202

The Problem:
Ran the nessus from host A against host B, and i
received an Security Alert information that port
80/tcp was opened and that a unknown service was
running.

I started the investigation and ran the follows
commands on host B:
netstat -tupan ( doesn't show port 80 )
lsof -i ( doesn't show port 80 )
fuser -n tcp 80 ( doesn't show nothing )
tcpdump dst port 80 ( there aren't traffic in this
port )
chkrootkit ( doesn't detect nothing )
clamav ( doesn't find virus )
Replace the nestat for other secure and ran again the
netstat -tupan, and the result was same.

- I Disabled the port 80/tcp and 80/udp on
/etc/services and restart host B.

I tried an telnet to port 80 and happen this:

Trying 200.200.201.201 ....
Connected to 200.200.201.201.
Escape character is '^]'.

I did: GET / HTTP / 1.1
Then a short time, the i receveid the message.

Connection closed by foreign host.

On host A, I ran the nmap against the host B using the
follow command:
nmap -vv -P0 -p 80-80 -sT 200.200.201.201

I received that port 80/tcp was opened by http
service.

Then, i did the follow test, unpluged the host B of
the router. On host A, I ran the same command of the
nmap, against the host B IP and the result was that
port 80 was opened. But how, if the host was unpluged
of the internet.

Then, yet with host B out of the internet, I ran the
nmap command against router R2 IP and the result was
that port 80 was opened too.

I don't understand that what's happening, anyone can
help me?

Follow the results of the netstat -tupan and ps ax
commands.

Result of the nestat -tupan:

Conex�es Internet Ativas (servidores e estabelecidas)
Proto Recv-Q Send-Q Endere�o Local          Endere�o
Remoto         Estado      PID/Program name
tcp        0      0 192.168.100.1:548        0.0.0.0:*
              OU�A        2069/afpd
tcp        0      0 192.168.100.1:139        0.0.0.0:*
              OU�A        1895/smbd
tcp        0      0 0.0.0.0:22              0.0.0.0:*
             OU�A        1008/sshd
tcp        0      0 192.168.100.1:3128       0.0.0.0:*
              OU�A        2149/(squid)
tcp        0      0 192.168.100.1:25         0.0.0.0:*
              OU�A        1675/master
tcp        0      0 127.0.0.1:25            0.0.0.0:*
             OU�A        1675/master
tcp        0      0 127.0.0.1:32898
127.0.0.1:32897         ESTABELECIDA2149/(squid)
tcp        0      0 127.0.0.1:32897
127.0.0.1:32898         ESTABELECIDA2150/(ncsa_auth)
tcp        0      0 127.0.0.1:32900
127.0.0.1:32899         ESTABELECIDA2149/(squid)
tcp        0      0 192.168.100.1:548
192.168.100.3:49155      ESTABELECIDA2247/afpd
tcp        0      0 127.0.0.1:32899
127.0.0.1:32900         ESTABELECIDA2151/(ncsa_auth)
tcp        0     48 200.200.201.201:22
200.200.200.201:32806   ESTABELECIDA1399/sshd
tcp        0      0 192.168.100.1:139
192.168.100.6:1027       ESTABELECIDA2203/smbd
tcp        0      0 127.0.0.1:32902
127.0.0.1:32901         ESTABELECIDA2149/(squid)
tcp        0      0 192.168.100.1:548
192.168.100.5:49155      ESTABELECIDA2330/afpd
tcp        0      0 127.0.0.1:32901
127.0.0.1:32902         ESTABELECIDA2152/(ncsa_auth)
tcp        0      0 127.0.0.1:32904
127.0.0.1:32903         ESTABELECIDA2149/(squid)
tcp        0      0 127.0.0.1:32903
127.0.0.1:32904         ESTABELECIDA2153/(ncsa_auth)
tcp        0      0 127.0.0.1:32906
127.0.0.1:32905         ESTABELECIDA2149/(squid)
tcp        0      0 127.0.0.1:32905
127.0.0.1:32906         ESTABELECIDA2154/(ncsa_auth)
tcp        0      0 192.168.100.1:139
192.168.100.7:1233       ESTABELECIDA1951/smbd
udp        0      0 192.168.100.1:137        0.0.0.0:*
                          1908/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*
                         1908/nmbd
udp        0      0 192.168.100.1:138        0.0.0.0:*
                          1908/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*
                         1908/nmbd
udp        0      0 127.0.0.1:32786         0.0.0.0:*
                         1951/smbd
udp        0      0 127.0.0.1:32791
127.0.0.1:32792         ESTABELECIDA2156/(pinger)
udp        0      0 127.0.0.1:32792
127.0.0.1:32791         ESTABELECIDA2149/(squid)
udp        0      0 127.0.0.1:32793         0.0.0.0:*
                         2203/smbd
udp        0      0 0.0.0.0:32804           0.0.0.0:*
                         2149/(squid)

Result of the ps ax:

    4 ?        SW     0:00 [kswapd]
    5 ?        SW     0:00 [bdflush]
    6 ?        SW     0:00 [kupdated]
    7 ?        SW<    0:00 [mdrecoveryd]
   11 ?        SW     0:02 [kjournald]
  129 ?        SW     0:00 [khubd]
  256 ?        SW     0:00 [kjournald]
  257 ?        SW     0:00 [kjournald]
  701 ?        SW     0:00 [eth0]
  782 ?        SW     0:00 [eth1]
  868 ?        S      0:00 syslogd -m 0
  880 ?        S      0:00 klogd
  968 ?        S      0:00 /usr/sbin/atd
  988 ?        S      0:00 crond
 1008 ?        S      0:00 /usr/sbin/sshd
 1133 ttyS0    S      0:00 gpm -t ms
 1314 ?        R      0:08 /usr/bin/snort -d -D -i
eth0 -p -l /var/log/snort -u
 1319 tty1     S      0:00 /sbin/mingetty tty1
 1320 tty2     S      0:00 /sbin/mingetty tty2
 1321 tty3     S      0:00 /sbin/mingetty tty3
 1322 tty4     S      0:00 /sbin/mingetty tty4
 1323 tty5     S      0:00 /sbin/mingetty tty5
 1324 tty6     S      0:00 /sbin/mingetty tty6
 1399 ?        S      0:00 /usr/sbin/sshd
 1401 ?        S      0:01 /usr/sbin/sshd
 1402 pts/0    S      0:00 -bash
 1415 pts/0    S      0:00 su
 1416 pts/0    S      0:00 bash
 1675 ?        S      0:00 /usr/lib/postfix/master
 1682 ?        S      0:00 pickup -l -t fifo -u
 1683 ?        S      0:00 qmgr -l -t fifo -u
 1895 ?        S      0:00 smbd -D
 1908 ?        S      0:00 nmbd -D
 1909 ?        S      0:00 nmbd -D
 1951 ?        S      0:04 smbd -D
 2043 ?        S      0:00 atalkd
 2056 ?        S      0:00 papd
 2069 ?        S      0:00 afpd -c 50 -n sp
 2147 ?        S      0:00 /usr/bin/squid
 2149 ?        S      0:00 (squid)
 2150 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
 2151 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
 2152 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
 2153 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
 2154 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
 2155 ?        S      0:00 (unlinkd)
 2156 ?        S      0:00 (pinger)
 2203 ?        S      0:01 smbd -D
 2247 ?        S      0:00 afpd -c 50 -n sp
 2316 ?        S      0:00 smtp -t unix -u
 2318 pts/0    R      0:00 ps ax


--- Nelson Santos <nsantos () gmail com> wrote:

Hi Paulo,

Did you try to connect to the port using Telnet
(telnet localhost 80)?
How about using nmap
(nmap -sV -p 80 localhost). This will try to connect
to the service
and check its version.

Nelson

On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo
<listassec () yahoo com> wrote:


Hi,

I runned the Nessus on a Redhat/Conectiva 9 and i
received the alert:

Security Note: Port: www-http (80/tcp).

I don't runnig http server (apache) and in netstat
-anp don't show port 80. I run also chkrootkit and

it

detect nothing. I run clamav and it detect nothing
too.

Anyone can help me?

Thanks

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail







--------------------------------------------------------------
-------------

Ethical Hacking at the InfoSec Institute. Mention

this ad and get $545 off

any course! All of our class sizes are guaranteed

to be 10 students or less

to facilitate one-on-one interaction with one of

our expert instructors.

Attend a course taught by an expert instructor

with years of in-the-field

pen testing experience in our state of the art

hacking lab. Master the skills

of an Ethical Hacker to better assess the security

of your organization.

Visit us at:






http://www.infosecinstitute.com/courses/ethical_hacking_training.html







----------------------------------------------------------------------------







__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!


http://promotions.yahoo.com/new_mail



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

--- 
Certain disclaimers and policies apply to all email sent from Memetrics.
For the full text of these disclaimers and policies see 
<a
href="http://www.memetrics.com/emailpolicy.html";>http://www.memetrics.com/em
ailpolicy.html</a>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: