Port 80 listening without WebServer?

Can you clarify your network and server setup for us? Is nessus installed on the target server itself or another? Is the 'other computer' that ran the nmap scan on the same segment of a LAN, or is there a router, firewall or other device between the scanning computer and the target? (I'm wondering if such a device between is actually intercepting the TCP port 80 requests, since you say a local netstat on the server isn't showing anything on that port.) Just some clarifications to better understand your specific situation.

 

That router may very well have an HTTP based management interface... It may be listening on TCP Port 80 for connections into it's configuration screen (webpage). The scans you are doing are likely stopped at that router, and are not even reaching your systems inside your network.

What you need to do is look at all the documentation for the adsl-router, especially for the management interface (browser based configuration options, or some such) and see if it is listening on TCP port 80 and if it is, and you never use that option, then see if it can be disabled completely. If you don't use it, you don't want people trying to break into your router's control menu from the Internet, that is for sure.

 

I'm sorry, I don't understand the significance of this statement... I would think and agree that your router would have a valid, ISP assigned public IP address. That is normal.

The key issue here is to determine if the router is holding TCP port 80 open to the Internet. You say a scan was done from outside your network (out on the Internet some where) and that TCP port 80 was seen as open, yet the host server does not have anything listening on that port. So, the place to look is at the router itself. Many routers do indeed use TCP port 80 as a management interface, so you need to check for that to see if that is the case in your situation.

Clearly language is separating us here and keeping us from understanding each other. Above you said...

The last part of this tells me that you scanned the public IP address of the router itself, from some place on the Internet, and it showed TCP port 80 open. That's what I based my assumption on, as far as the router holding the port open itself.

Can you check your router and its documentation and see if the configuration does work by way of TCP port 80? Or in fact, another possibility is that something else is responding to those access attempts - could the port "be forwarded" to another host? Could the ISP be intercepting it?