Security Basics mailing list archives
Re: Port 80 open without WebServer
From: Nelson Santos <nsantos () gmail com>
Date: Thu, 1 Jul 2004 16:30:34 -0300
Are you using transparent proxy? Because if you are the squid is listening in port 80. I assume you're using Speedy Business so those IP were assigned to you by Telefonica, right? I'm asking because those are not private IPs so you could be scanning a host outside your net. Nelson On Thu, 1 Jul 2004 09:50:18 -0700 (PDT), Paulo <listassec () yahoo com> wrote:
Thanks by help. Host A: - The computer where i'm running the tests with nessus and nmap. - IP 200.200.200.201 Router R1: - Router ADSL - does the connection of the host A with the internet. - IP 200.200.200.202 Host B: - The server under investigation, receive the tests with nessus and nmap. - Linux RedHat/Conectiva 8 - IP 200.200.201.201 - Services running: Samba, Squid, Atalk, Postfix, Iptables, Snort, SSH, i haven't APACHE installed. - The iptables is set to drop all connection, with exception of the SSH become from host A. - In iptables has not redirect to port 80. Router R2: - Router ADSL - does the connection of the host B with the internet. - SpeedStream model 5660 - IP 200.200.201.202 The Problem: Ran the nessus from host A against host B, and i received an Security Alert information that port 80/tcp was opened and that a unknown service was running. I started the investigation and ran the follows commands on host B: netstat -tupan ( doesn't show port 80 ) lsof -i ( doesn't show port 80 ) fuser -n tcp 80 ( doesn't show nothing ) tcpdump dst port 80 ( there aren't traffic in this port ) chkrootkit ( doesn't detect nothing ) clamav ( doesn't find virus ) Replace the nestat for other secure and ran again the netstat -tupan, and the result was same. - I Disabled the port 80/tcp and 80/udp on /etc/services and restart host B. I tried an telnet to port 80 and happen this: Trying 200.200.201.201 .... Connected to 200.200.201.201. Escape character is '^]'. I did: GET / HTTP / 1.1 Then a short time, the i receveid the message. Connection closed by foreign host. On host A, I ran the nmap against the host B using the follow command: nmap -vv -P0 -p 80-80 -sT 200.200.201.201 I received that port 80/tcp was opened by http service. Then, i did the follow test, unpluged the host B of the router. On host A, I ran the same command of the nmap, against the host B IP and the result was that port 80 was opened. But how, if the host was unpluged of the internet. Then, yet with host B out of the internet, I ran the nmap command against router R2 IP and the result was that port 80 was opened too. I don't understand that what's happening, anyone can help me? Follow the results of the netstat -tupan and ps ax commands. Result of the nestat -tupan: Conex�es Internet Ativas (servidores e estabelecidas) Proto Recv-Q Send-Q Endere�o Local Endere�o Remoto Estado PID/Program name tcp 0 0 192.168.100.1:548 0.0.0.0:* OU�A 2069/afpd tcp 0 0 192.168.100.1:139 0.0.0.0:* OU�A 1895/smbd tcp 0 0 0.0.0.0:22 0.0.0.0:* OU�A 1008/sshd tcp 0 0 192.168.100.1:3128 0.0.0.0:* OU�A 2149/(squid) tcp 0 0 192.168.100.1:25 0.0.0.0:* OU�A 1675/master tcp 0 0 127.0.0.1:25 0.0.0.0:* OU�A 1675/master tcp 0 0 127.0.0.1:32898 127.0.0.1:32897 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32897 127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth) tcp 0 0 127.0.0.1:32900 127.0.0.1:32899 ESTABELECIDA2149/(squid) tcp 0 0 192.168.100.1:548 192.168.100.3:49155 ESTABELECIDA2247/afpd tcp 0 0 127.0.0.1:32899 127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth) tcp 0 48 200.200.201.201:22 200.200.200.201:32806 ESTABELECIDA1399/sshd tcp 0 0 192.168.100.1:139 192.168.100.6:1027 ESTABELECIDA2203/smbd tcp 0 0 127.0.0.1:32902 127.0.0.1:32901 ESTABELECIDA2149/(squid) tcp 0 0 192.168.100.1:548 192.168.100.5:49155 ESTABELECIDA2330/afpd tcp 0 0 127.0.0.1:32901 127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth) tcp 0 0 127.0.0.1:32904 127.0.0.1:32903 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32903 127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth) tcp 0 0 127.0.0.1:32906 127.0.0.1:32905 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32905 127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth) tcp 0 0 192.168.100.1:139 192.168.100.7:1233 ESTABELECIDA1951/smbd udp 0 0 192.168.100.1:137 0.0.0.0:* 1908/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1908/nmbd udp 0 0 192.168.100.1:138 0.0.0.0:* 1908/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 1908/nmbd udp 0 0 127.0.0.1:32786 0.0.0.0:* 1951/smbd udp 0 0 127.0.0.1:32791 127.0.0.1:32792 ESTABELECIDA2156/(pinger) udp 0 0 127.0.0.1:32792 127.0.0.1:32791 ESTABELECIDA2149/(squid) udp 0 0 127.0.0.1:32793 0.0.0.0:* 2203/smbd udp 0 0 0.0.0.0:32804 0.0.0.0:* 2149/(squid) Result of the ps ax: 4 ? SW 0:00 [kswapd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:00 [kupdated] 7 ? SW< 0:00 [mdrecoveryd] 11 ? SW 0:02 [kjournald] 129 ? SW 0:00 [khubd] 256 ? SW 0:00 [kjournald] 257 ? SW 0:00 [kjournald] 701 ? SW 0:00 [eth0] 782 ? SW 0:00 [eth1] 868 ? S 0:00 syslogd -m 0 880 ? S 0:00 klogd 968 ? S 0:00 /usr/sbin/atd 988 ? S 0:00 crond 1008 ? S 0:00 /usr/sbin/sshd 1133 ttyS0 S 0:00 gpm -t ms 1314 ? R 0:08 /usr/bin/snort -d -D -i eth0 -p -l /var/log/snort -u 1319 tty1 S 0:00 /sbin/mingetty tty1 1320 tty2 S 0:00 /sbin/mingetty tty2 1321 tty3 S 0:00 /sbin/mingetty tty3 1322 tty4 S 0:00 /sbin/mingetty tty4 1323 tty5 S 0:00 /sbin/mingetty tty5 1324 tty6 S 0:00 /sbin/mingetty tty6 1399 ? S 0:00 /usr/sbin/sshd 1401 ? S 0:01 /usr/sbin/sshd 1402 pts/0 S 0:00 -bash 1415 pts/0 S 0:00 su 1416 pts/0 S 0:00 bash 1675 ? S 0:00 /usr/lib/postfix/master 1682 ? S 0:00 pickup -l -t fifo -u 1683 ? S 0:00 qmgr -l -t fifo -u 1895 ? S 0:00 smbd -D 1908 ? S 0:00 nmbd -D 1909 ? S 0:00 nmbd -D 1951 ? S 0:04 smbd -D 2043 ? S 0:00 atalkd 2056 ? S 0:00 papd 2069 ? S 0:00 afpd -c 50 -n sp 2147 ? S 0:00 /usr/bin/squid 2149 ? S 0:00 (squid) 2150 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2151 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2152 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2153 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2154 ? S 0:00 (ncsa_auth) /etc/squid/squid_passwd 2155 ? S 0:00 (unlinkd) 2156 ? S 0:00 (pinger) 2203 ? S 0:01 smbd -D 2247 ? S 0:00 afpd -c 50 -n sp 2316 ? S 0:00 smtp -t unix -u 2318 pts/0 R 0:00 ps ax --- Nelson Santos <nsantos () gmail com> wrote:Hi Paulo, Did you try to connect to the port using Telnet (telnet localhost 80)? How about using nmap (nmap -sV -p 80 localhost). This will try to connect to the service and check its version. Nelson On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo <listassec () yahoo com> wrote:Hi, I runned the Nessus on a Redhat/Conectiva 9 and i received the alert: Security Note: Port: www-http (80/tcp). I don't runnig http server (apache) and in netstat -anp don't show port 80. I run also chkrootkit anditdetect nothing. I run clamav and it detect nothing too. Anyone can help me? Thanks __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mentionthis ad and get $545 offany course! All of our class sizes are guaranteedto be 10 students or lessto facilitate one-on-one interaction with one ofour expert instructors.Attend a course taught by an expert instructorwith years of in-the-fieldpen testing experience in our state of the arthacking lab. Master the skillsof an Ethical Hacker to better assess the securityof your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html----------------------------------------------------------------------------__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Port 80 open without WebServer Paulo (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer Paulo (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer David Roman Esteban (Jul 05)
- Re: Port 80 open without WebServer Paulo (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer Javier Larrea Jaspe (Jul 01)
- Re: Port 80 open without WebServer Carlos Bergero (Jul 01)
- Re: Port 80 open without WebServer mike (Jul 01)
- recommended honeynet configuration steve (Jul 06)
- Re: recommended honeynet configuration Florian Streck (Jul 06)
- recommended honeynet configuration steve (Jul 06)
- Re: Port 80 open without WebServer Hemil (Jul 05)
- Re: Port 80 open without WebServer Paul Kurczaba (Jul 05)
- <Possible follow-ups>
- RE: Port 80 open without WebServer BANIER Jeremie (Jul 01)