Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 80 open without WebServer

From: David Roman Esteban <droman () plcendesa com>
Date: Fri, 02 Jul 2004 07:52:51 +0200
what you see is the web server from the speedstream, is the configuration web server, you have it "closed" (not allowed to configure from outside network), but the port remains open, I don't know if newer versions of the firmware solved this problem, but is a known problem 

Best regards
David Roman Esteban

Paulo escribió:


Thanks by help.

Host A:
- The computer where i'm running the tests with nessus
and nmap.
- IP 200.200.200.201

Router R1:
- Router ADSL - does the connection of the host A with
the internet.
- IP 200.200.200.202

Host B:
- The server under investigation, receive the tests
with nessus and nmap.
- Linux RedHat/Conectiva 8
- IP 200.200.201.201
- Services running: Samba, Squid, Atalk, Postfix,
Iptables, Snort, SSH, i haven't APACHE installed.
- The iptables is set to drop all connection, with
exception of the SSH become from host A.
- In iptables has not redirect to port 80.

Router R2:
- Router ADSL - does the connection of the host B with
the internet.
- SpeedStream model 5660
- IP 200.200.201.202

The Problem:
Ran the nessus from host A against host B, and i
received an Security Alert information that port
80/tcp was opened and that a unknown service was
running.

I started the investigation and ran the follows
commands on host B:
netstat -tupan ( doesn't show port 80 )
lsof -i ( doesn't show port 80 )
fuser -n tcp 80 ( doesn't show nothing )
tcpdump dst port 80 ( there aren't traffic in this
port )
chkrootkit ( doesn't detect nothing )
clamav ( doesn't find virus )
Replace the nestat for other secure and ran again the
netstat -tupan, and the result was same.

- I Disabled the port 80/tcp and 80/udp on
/etc/services and restart host B.

I tried an telnet to port 80 and happen this:

Trying 200.200.201.201 ....
Connected to 200.200.201.201.
Escape character is '^]'.

I did: GET / HTTP / 1.1
Then a short time, the i receveid the message.

Connection closed by foreign host.

On host A, I ran the nmap against the host B using the
follow command:
nmap -vv -P0 -p 80-80 -sT 200.200.201.201

I received that port 80/tcp was opened by http
service.

Then, i did the follow test, unpluged the host B of
the router. On host A, I ran the same command of the
nmap, against the host B IP and the result was that
port 80 was opened. But how, if the host was unpluged
of the internet.

Then, yet with host B out of the internet, I ran the
nmap command against router R2 IP and the result was
that port 80 was opened too.

I don't understand that what's happening, anyone can
help me?

Follow the results of the netstat -tupan and ps ax
commands.

Result of the nestat -tupan:

Conexões Internet Ativas (servidores e estabelecidas)
Proto Recv-Q Send-Q Endereço Local          Endereço
Remoto         Estado      PID/Program name
tcp        0      0 192.168.100.1:548        0.0.0.0:*
             OUÇA        2069/afpd
tcp        0      0 192.168.100.1:139        0.0.0.0:*
             OUÇA        1895/smbd
tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 1008/sshd 
tcp        0      0 192.168.100.1:3128       0.0.0.0:*
             OUÇA        2149/(squid)
tcp        0      0 192.168.100.1:25         0.0.0.0:*
             OUÇA        1675/master
tcp 0 0 127.0.0.1:25 0.0.0.0:* OUÇA 1675/master tcp 0 0 127.0.0.1:32898 127.0.0.1:32897 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32897 127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth) tcp 0 0 127.0.0.1:32900 127.0.0.1:32899 ESTABELECIDA2149/(squid) tcp 0 0 192.168.100.1:548 192.168.100.3:49155 ESTABELECIDA2247/afpd tcp 0 0 127.0.0.1:32899 127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth) tcp 0 48 200.200.201.201:22 200.200.200.201:32806 ESTABELECIDA1399/sshd tcp 0 0 192.168.100.1:139 192.168.100.6:1027 ESTABELECIDA2203/smbd tcp 0 0 127.0.0.1:32902 127.0.0.1:32901 ESTABELECIDA2149/(squid) tcp 0 0 192.168.100.1:548 192.168.100.5:49155 ESTABELECIDA2330/afpd tcp 0 0 127.0.0.1:32901 127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth) tcp 0 0 127.0.0.1:32904 127.0.0.1:32903 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32903 127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth) tcp 0 0 127.0.0.1:32906 127.0.0.1:32905 ESTABELECIDA2149/(squid) tcp 0 0 127.0.0.1:32905 127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth) tcp 0 0 192.168.100.1:139 192.168.100.7:1233 ESTABELECIDA1951/smbd 
udp        0      0 192.168.100.1:137        0.0.0.0:*
                         1908/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1908/nmbd 
udp        0      0 192.168.100.1:138        0.0.0.0:*
                         1908/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1908/nmbd udp 0 0 127.0.0.1:32786 0.0.0.0:* 1951/smbd udp 0 0 127.0.0.1:32791 127.0.0.1:32792 ESTABELECIDA2156/(pinger) udp 0 0 127.0.0.1:32792 127.0.0.1:32791 ESTABELECIDA2149/(squid) udp 0 0 127.0.0.1:32793 0.0.0.0:* 2203/smbd udp 0 0 0.0.0.0:32804 0.0.0.0:* 2149/(squid) 

Result of the ps ax:

   4 ?        SW     0:00 [kswapd]
   5 ?        SW     0:00 [bdflush]
   6 ?        SW     0:00 [kupdated]
   7 ?        SW<    0:00 [mdrecoveryd]
  11 ?        SW     0:02 [kjournald]
 129 ?        SW     0:00 [khubd]
 256 ?        SW     0:00 [kjournald]
 257 ?        SW     0:00 [kjournald]
 701 ?        SW     0:00 [eth0]
 782 ?        SW     0:00 [eth1]
 868 ?        S      0:00 syslogd -m 0
 880 ?        S      0:00 klogd
 968 ?        S      0:00 /usr/sbin/atd
 988 ?        S      0:00 crond
1008 ?        S      0:00 /usr/sbin/sshd
1133 ttyS0    S      0:00 gpm -t ms
1314 ?        R      0:08 /usr/bin/snort -d -D -i
eth0 -p -l /var/log/snort -u
1319 tty1     S      0:00 /sbin/mingetty tty1
1320 tty2     S      0:00 /sbin/mingetty tty2
1321 tty3     S      0:00 /sbin/mingetty tty3
1322 tty4     S      0:00 /sbin/mingetty tty4
1323 tty5     S      0:00 /sbin/mingetty tty5
1324 tty6     S      0:00 /sbin/mingetty tty6
1399 ?        S      0:00 /usr/sbin/sshd
1401 ?        S      0:01 /usr/sbin/sshd
1402 pts/0    S      0:00 -bash
1415 pts/0    S      0:00 su
1416 pts/0    S      0:00 bash
1675 ?        S      0:00 /usr/lib/postfix/master
1682 ?        S      0:00 pickup -l -t fifo -u
1683 ?        S      0:00 qmgr -l -t fifo -u
1895 ?        S      0:00 smbd -D
1908 ?        S      0:00 nmbd -D
1909 ?        S      0:00 nmbd -D
1951 ?        S      0:04 smbd -D
2043 ?        S      0:00 atalkd
2056 ?        S      0:00 papd
2069 ?        S      0:00 afpd -c 50 -n sp
2147 ?        S      0:00 /usr/bin/squid
2149 ?        S      0:00 (squid)
2150 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
2151 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
2152 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
2153 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
2154 ?        S      0:00 (ncsa_auth)
/etc/squid/squid_passwd
2155 ?        S      0:00 (unlinkd)
2156 ?        S      0:00 (pinger)
2203 ?        S      0:01 smbd -D
2247 ?        S      0:00 afpd -c 50 -n sp
2316 ?        S      0:00 smtp -t unix -u
2318 pts/0    R      0:00 ps ax


--- Nelson Santos <nsantos () gmail com> wrote:

Hi Paulo,

Did you try to connect to the port using Telnet
(telnet localhost 80)?
How about using nmap
(nmap -sV -p 80 localhost). This will try to connect
to the service
and check its version.

Nelson

On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo
<listassec () yahoo com> wrote:

Hi,

I runned the Nessus on a Redhat/Conectiva 9 and i
received the alert:

Security Note: Port: www-http (80/tcp).

I don't runnig http server (apache) and in netstat
-anp don't show port 80. I run also chkrootkit and

it

detect nothing. I run clamav and it detect nothing
too.

Anyone can help me?

Thanks

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail



---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention

this ad and get $545 off

any course! All of our class sizes are guaranteed

to be 10 students or less

to facilitate one-on-one interaction with one of

our expert instructors.

Attend a course taught by an expert instructor

with years of in-the-field

pen testing experience in our state of the art

hacking lab. Master the skills

of an Ethical Hacker to better assess the security

of your organization.

Visit us at:


http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------




        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------






---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: