Odd situation: Port 80 open

An odd situation is happening with a relative. This relative has Windows Vista SP2, fully patched. The firewall is Windows own, with all inbound traffic blocked, unless permitted.

Yesterday, I upgraded Microsoft Security Essentials to the newest version, and as always, among other stuff, I ran ShieldsUP to verify Windows Firewall.

It reported port 80 as being open. I checked the firewall settings, and there's nothing that could be causing this. I even restored the default settings and applied new ones; same thing happens.

Just as a test, I connected this Internet service (USB 3G device) to my own system, and to my surprise it also reported port 80 as being open.

Obviously, with my own connection everything is OK.

This leaves me to believe something is wrong with the ISP? I asked at a local forum if someone else, using this same service, could report the same, but one user, so far, says all is OK.

I don't know if the ISP provides this sort of protection on a per-user basis, for this 3G service? It beats me.

I do know that it's common practice for ISPs to block inbound access to port 80, specially to prevent users from running their own web servers.

I don't know for how long this situation has been happening to my relative.

But, this all situation is leaving me confused. Why is it reporting port 80 is open on both systems, when in my system, with my own connection all is fine?

Makes any sense to you?

Also, ISP aside, shouldn't Windows Firewall be stealthing this port? I must say that in my system, my firewall rules (Windows Firewall as well) are way more restricted.
By the way, I also checked with PCFlank, same deal.

It would be nice to have some feedback, because... well, this is leaving me confused... lol

 

Is your device allowing remote controls via http? That or telnet/ssh are what often show up here ahead of the firewall.

 

You'll not believe this... but, I decided to place back the predefined rules... guess what? Everything is stealthed... lol

So, the problem is that I had removed some rules from the firewall? lol This device really works differently from mine. LOL

Now, I just need to find out what the heck is the culprit rule.

Go figure!

Thanks for your feedback

 

Maybe instead of allowing connections to a remote HTTP port, you've accidentally allowed it locally?

 

No.

Regarding outbound rules, I still couldn't make this relative use outbound protection, provided by Windows firewall. It's one step at a time.

(Hopefully, I'll advise to move towards Windows 7 Ultimate.)

But, I did remove unneeded (So I thought!) rules from both predefined inbound and outbound rules. The rules regard network discovery for domain and private networks. Considering that my relative's system is not part of any, I just disabled those rules. Just like I did with mine and one other relative. It just seems that the device in cause needs one or more of these rules to be enabled; I still haven't tried to figure out which, I'm tired for today.

How this would affect inbound traffic for port 80... it beats me.

Crazy... I was trying to find what rule(s) I had to disable... if any... when it was the opposite situation.

This device does make use of a few processes and connections, though.

 

Here we are again...

Moments ago, I noticed the same behavior. But, my relative is using a different 3G connection device, also by Vodafone. If I'm not mistaken, it's a ZTE K3765-Z.

Port 80 is revealed as being opened. Even with a strict rule blocking inbound traffic to port 80.

I can only assume this is something happening on the ISP side... Otherwise, why would GRC/other detect port 80 as being opened?

My relative is not making use of Windows Firewall with Advanced Security, so I messed around and enabled audit events.

I noticed that the device's main process communicates to this IP... Not sure why, but it's certainly not needed, and I've blocked communication from it to any remote port, under protocol TCP. Only communication to protocol UDP is allowed, and it's working fine... so... phoning home? What for

I really need to put my hands on this system, though. My relative's system is not of my liking... I mean, I won't waste my time figuring out what's wrong with it... what may be nesting there. So, if I put my hands on it, and give a little guidance (along side some terror stories... lol), I'm sure things will run fine, hopefully. If something is nesting there, anyway. lol

But, my relative should get in touch with the ISP and ask what the communication to that IP is all about...

I may even suggest my relative to end with the service, because for what I was told, Internet connection speed isn't what my relative is paying for... so, they're not keeping their part of the deal... I'm pretty sure it lost any legal validity.

 

Some ISP provided DSL modems are configured to allow remote administration using port 80. The last one my ISP supplied did. Depending on the particular modem and ISP involved, you might be able to view (but not alter) the settings without the modems password. With a little effort, you can probably search out the default passwords for different ISPs and their modems, then turn it off yourself.

 

I wasn't aware of that... So, if that's the case, then I'll tell my relative to the send an e-mail to the ISP technical support and ask how to do it. I'll search about it... but, I'd like to know what they'll say... also about the phoning home situation (port 443, not 80).

Thanks for your feedback.

 

Regarding ISP supplied modems and open ports, I've had 4 different ones in the last 5 years or so. In addition to the remote HTTP and Telnet ports than can be closed in the configuration, each has also had another port open, above 20,000. The exact port number was different on each modem. There were no configuration options to close it that I could find. It was not mentioned in any of the documentation that I had accesss to. It seems to be set in the firmware.

There used to be an online scanner similar to Shields Up that could scan all the ports in blocks of 2500 ports at a time, but I can't find it any more.

 

Most ISPs do have remote administration enabled on their equipment and most likelly will not want to disable it. They use that access to change configurations, troubleshooting, rebooting the modem, upgrade firmware, etc. Unfortunately for us, their passwords are known. I question their use of port 80 (and 443?), unless they chose these specifically to prevent their users from running a server on the usual ports.

 

Hello there,

Thanks for all your feedback so far!

I investigated things a bit further, and not only is the ISP making such connections to ports 80 and 443, but also to port 137... WTF

Windows Firewall was completely overwhelmed by it. 100% blind to such communications, even with a strict rule blocking communication to the Netbios trio.

I enabled audit events, and also saw a connection to this IP -https://secure.dshield.org/ipinfo.html?ip=66.35.45.158

Suspicious. Also port 137. Even more suspicious... Shouldn't be happening to start with. Not in a direct Internet connection.

OK, time to scan for malware. SUPERAntispyware found one infection. By the way, Internet connection was slow... completely. Updating Malwarebytes would take 30 minutes!! After SUPERAntispyware removed the threat, then things got better, making MBAM update just fine.

But, overall it's plainfully slow. It wasn't like that.

But, nothing would detect anything else.

Time for anti-rootkits. A tool by the same author of GMER, aswMBR found unknown MBR code and GeeksToGo tool MBRCheck provided a message about Windows 2008 MBR.

It's Windows Vista.

I won't be wasting my time on this useless hunt, though. I've less my relative know that I'm willing to nuke the hard disk and reinstall all clean, and advise to get an external hard disk for backups. More than that I won't do, nor can I force anyone to anything.

 

@ m00nbl00d

Ooh worse than you thought & that was concerning ehough ! And been going on since at least December 23rd, 2010

What nasty did you find ? Maybe they should change their PW's etc

 

I don't think that the situation I mentioned in last December is connected to this one now. But, since I also spotted port 80 open, it made sense to mention it here as well. Back then, after restoring Windows Vista firewall to its default settings, then port 80 was being reported as being closed (stealthed, actually).

As I explained, my relative is using a new 3G usb device, from the same ISP (Vodafone).

It's this device that's making all the connections I mentioned, including to the ISP, via ports 80, 443 and 137. I could understand the connections to ports 80 and 443, but not to port 137.

Regarding the infections, I performed scans with Malwarebytes, which as I mentioned, took like 30 minutes to update, but found nothing.

I decided to install SUPERAntispyware 5, updated it (it updated normally, for what I could tell) and then performed a full scan. It reported an infection, which right now I don't recall what it was. But, after removing it and rebooting the system, as required by SAS, a few hours later (after checking other stuff), I looked for new updates for Malwarebytes, and it updated just fine. I had tried to update MBAM quite a few times before, but it would take way too much, and I always gave up. So, I doubt it was a problem with their servers. I actually remember that sometime ago I noticed the same issue, but I just thought it was a problem on their side. Most likely this was already a symptom, and I just didn't connect things.

HMP found nothing. MSE found nothing. Spybot found nothing. The only anti-rookits spotting problems were aswMBR (same author as Gmer) and MBRCheck (by GeeksToGo). By the way, it would take like for ever to update Spybot. I could update it fine in other systems, so one more symptom that something was clearly wrong.

I did find a strange behavior by Prevx SafeOnline. From time to time I noticed that its icon would become red, meaning an infection was found. But, whenever I opened the UI, and performed a scan, it never reported anything. But, it happened a few times... so clearly something was wrong...

One thing I'm sure, if the rootkit is concealing malware to steal credentials, it wasn't able to do it so, because my relative didn't spot anything wrong with the monthly bank reports about account movements. If, in fact, something trying to steal credentials, then Prevx SafeOnline prevented it.

Most likely my relative got the system infected when connected to other networks.

Unfortunately, I never could deploy a real proper security in that system, but I hope these events has opened my relative's eyes, and that sometimes we need to take away a little convenience for the sake of security. I mean, I'm talking about someone who thinks disabling autorun and opening My Computer to open USB devices a total waste of time.

I placed a note on top of my relative's laptop explaining that I found a rootkit, and what a rootkit is and how dangerous it is, and that the only way to be really sure that everything gets clean, is to simply nuke the hard disk. And, that it's better be safe and sorry.

I did warn not to access bank account and other sensitive web sites. I also warned only to perform searches on the net, but to be the less possible connected to the Internet, if it is a must.

I also told my relative (on the note) to open PeerBlock, which I've set to block the communications that Windows firewall fails to block. I couldn't spot more connections than those I mentioned before. So, if my relative decides to use the Internet, then PeerBlock will block those comms. Not the most elegant solution, I'm aware, but it would be far worse not to block nothing, at all.

I'm hoping to get an answer later on. More than this I can't do. There's no law allowing me to take control of the laptop to nuke it.

 

@ m00nbl00d

Thanks for the detailed update If you do get an answer later on, let us know the outcome

 

Unfortunately, I'm unable to do it so, as my relative took the laptop to the computer shop where it was bought... Didn't want to wait until I got out of bed...

The curious thing... I'd have it ready yesterday (it's already a new day here). Humans...

I got a strong feeling that I'll have to put my hands on it, though... I'm feeling a standard format was the chosen option, as it will return tomorrow.

That won't suffice with rootkits. I just might run some antirootkit tool, and tell my relative: See... a rootkit... Still here... See?

 

Thanks for the update, sort of

Yeah that should scare the pants off them

 

OK. Unfortunately, I couldn't scare off my relative... I guess I wasn't looking too serious.

The damn morons from the computer shop gave the laptop only with an administrator account, dangerous services enabled, remote access, etc...

I couldn't make my relative use a standard user account. So, I set UAC to maximum, placed IE9 under EMET, as well as Adobe Reader X. Added SpywareBlaster, Spybot, Prevx SOL and AVG LinkScanner.

I'd like a standard user account, though.

But, aswMBR doesn't detect unknown MBR code anymore.

However!!, I still see NetBIOS traffic happening. This time, I also caught a communication to Microsoft, via port 138.

Is this a normal behavior Not to mention the abusive ISP communications.

GRC still detects port 80 as being opened, but the firewall blocks incoming comms properly, for what I could see.

 

Do they actually need NetBIOS ? I've disabled it And i don't have ANY issues If you'ld like to know how, just ask

MS & other vendors are sneaky Was it for Updates though ?

 

Yes, NetBIOS is needed.

I didn't pay attention whether or not Microsoft's connection was related to Windows Update, but Windows was updating, so it could be related. But, why using NetBIOS for that?

I finally managed to block outgoing traffic related to NetBIOS. At least, believing Audit Events.

I never experienced such, because I have NetBIOS disabled. I wonder if someone noticed these communications to Microsoft before?

Anyway, these events tell me to stay the hell away from Vodafone as well. I don't like the holes they create.

 

Originally Posted by m00nbl00d

Maybe ?

Or anything else

How ?

Be nice to hear

Ooh, do they Such as ?

You might be intereted in taking a look at Patriot_NG - https://www.wilderssecurity.com/showthread.php?p=1871485#post1871485 - Amongst other things it does is this, from the PDF

 

To have Windows firewall block outgoing NetBIOS traffic, I tried a really desparate solution - Removed the network profile, and re-applied it.

As for the holes Vodafone creates... well... outgoing comms to port 80 and 443... For starters, why the heck would need it? In one of the comms I monitored they went to an IP that's reported at DShield. Not to mention comms to NetBIOS! Bloody hell!

Enough holes for me...

Regarding the app you mentioned, I don't think that's something I'd install to relatives... Alerts... I don't personally know much about it either, yet.

But, I think I thought of a nice approach to scare the hell away from my relative!

I'm going to gather some easy to understand info regarding Spyeye, Zeus, etc... (My relative accesses bank account using the Internet, hence my concern since the beginning... ), and will send it to my relative's e-mail! Something to read, for sure will be better than trying to explain at live what to say. Things never come as we expect!!

It's going to be my last attempt. I really don't like thinking my relative is using an administrator account (UAC is on, but still...).

 

Originally Posted by m00nbl00d

Amazing ! Wonder why that should block it ?

Indeed

Don't blame you

 

Possibly related to lmhosts.

If you need netbios enabled on you home LAN, then place rules in your firewall to restrict netbios to your LAN IP range only.


- Stem

 

Hello there!

I'm not part of any network. I have NetBIOS disabled.

But, a relative of mine does connect to third-party networks (I think it's needed to share docs...). So, NetBIOS is needed.

You were right, it was related to lmhosts. It turns out, the device also had NetBIOS enabled! This new models also seem to allow networking, at least judging by all the configuration options that are available. Mine doesn't, so I never really bothered looking into all that stuff.

I've disabled it, because there is no need for it to be enabled. I wonder why it comes enabled by default, though. My guess is that 99% of users buying these type of devices aren't looking for networking, but a mobile Internet connection.

But, this still doesn't explain why Vodafone was connecting out (to the Internet) using NetBIOS.

Anyway, thanks for tip!

 

Out of curiosity, I decided to perform a few scans in my relative's laptop. I was going to update MBAM and SAS, and it would take a hell of a time to download the updates (more than 30 minutes!). Where have I seen this before?

Downloading a small file (~300KB) would take like 5 minutes or so.

To clarify any doubts, we're dealing with a superior Internet connectivity to mine. And, right now, I'm on 128 kbps, until next month.

And, I can say with 100% certaintity that, side by side, I'm on a super speedy Internet connection!

So, I installed Wireshark. Yes, the new version works with the Vodafone device. This device is detected as an Ethernet adapter and not PPP.

I started capturing, and updated MBAM. Painfully slow, and I didn't finish the update, of course.

I noticed outside connections to local port 445... such as this one:

Code:

298	190.737440	213.109.230.253	Relative's_IP TCP	4476 > microsoft-ds [SYN] Seq=0 Win=65535 Len=0 MSS=1420 SACK_PERM=1

I'm still new on this Wireshark thing, but Windows firewall logs have no record of this IP. This means that Windows firewall cannot even see such traffic!

-https://secure.dshield.org/ipinfo.html?ip=213.109.230.253

Not that friendly, uh?

I've seen more connections such as that one, from other IPs as well. All undetected by Windows firewall.

So... time to slap my relative's face to finally wake the hell up, and allow me to do my thing?

Seriously... lol Either some woke up... and something else arrived. Maybe a bit of both.