Anyone know about port 80?

Discussion in 'other security issues & news' started by FukenFooser 007.5, Jun 2, 2004.

Thread Status:
Not open for further replies.
  1. FukenFooser 007.5

    FukenFooser 007.5 Registered Member

    Joined:
    Sep 28, 2003
    Posts:
    118
    Location:
    High Mnt West. Idaho
    Hello, I'm a computer idiot.
    But I do try very hard and want to learn more!

    Anyway, "Blackcode" scaned my sys and reported that
    "port 80 was open and was being used by www-http" o_Oo_Oo_O?
    (It might have been a . not a -) [can't read own scribles] :)


    Does anyone have any info on thiso_O?

    please reply and have a great day/night just for being here!!!!!!!!!!!!!!!!!


    THANKS

    ff
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I have produced a FAQ Online Scans - What to do with Open and Closed Ports over at the Outpost Firewall forum which may answer some of your questions about what ports are.

    Port 80 is used for HTTP (HyperText Transport Protocol) which is the language used to deliver web pages. If this is open on your system then this could be because you are running a web server (such as Internet Information Server) on your system. If so then I would advise you to close it - if you need to publish a web page it would be better to arrange this with an Internet Service Provider who would then take care of security, data backup and keeping their system available 24/7.

    I would also suggest that you install a firewall if you have not already. If you have, then check its configuration to find out which application is being allowed to receive incoming connections on port 80 and remove it.

    If you are not running a web server, then the next most likely possibility is that your PC has been compromised and is being used to host someone else's content (which is likely to be a spam-advertised website - but could in the worst case be illegal content). In this case, use an up-to-date virus scanner to do a check on your system and consider downloading a specialised anti-trojan like TDS-3 or TrojanHunter (both available as trial downloads).

    Alternatively, download Hijack This! and post details of its logs in the Browser Hijacks and Spyware Forum (but run either AdAware or Spybot Search and Destroy first to clear the common adware out of your system).
     
  3. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Hmmm... I just used the Shields UP! port scan thingamabob, and, despite my current lack of a firewall (though I have carried out the unbinding instructions on the Shields UP! page), it found all my ports to be stealthed.

    All my ports, that is, except for one: port 80. There seems to be a lot of malware crap that is associated with this port, so I really want to shut it up. Is there any way to do this without resorting to Zone Alarm, which seems to have major beef with Xen, F-Prot DOS, AntiVir, and a bunch of other programs? (No, I'm not kidding about Xen. Running it with the firewall on my system - even if I exit the firewall - makes it unbelievably slow. Same with F-Prot, and it causes crashes with AntiVir.)

    Btw, my computer is connected with several other computers and a cable modem via a local area network, if that helps.
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    As with FukenFooser 007.5, check you do not have a web server running (if you are using Win9x/ME, check that Personal Web Server is not installed for instance). If you are using ZoneAlarm then check which applications you have given "server access" to - these should be the only ones able to open a port on your system.

    Aside from that, online scan sites can give inconsistent results - for some explanations and links to alternative sites to confirm results, check the FAQ I linked to previously.
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Get PortExplorer to check the process that's using port 80
     
  6. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pigman

    You seem to have read the answers to your many posts. :rolleyes:

    You are listening but for some reson you can still not HEAR. :doubt:

    Take Care,
    TheQuest :cool:
     
  7. FukenFooser 007.5

    FukenFooser 007.5 Registered Member

    Joined:
    Sep 28, 2003
    Posts:
    118
    Location:
    High Mnt West. Idaho
    Thanks for the reply parinoid
    I run AntiVir, AVG6.0, Zone, eScantool kit, CW Shredder, Ad-aware,safexp, hi-jack this and spybot.
    But being an idiot, most results look like rubish to me.
    Zone is only letting out what I do know and understand. But again a friend emailed that he got a email from me with a virus and I haven't E'd him in weeks.
    eScan shows 7 viruses but they seem to just be reboots in various games, AntiVir and AVG AS WELL As trend's site show clean. Panda's won't work.
    CWshredder shows clean.
    I'm sure Pieter get's tired of me posting log's he claims are clean in that forum. But hey no offence towards any body here or there, I as well as others need the help.
    I'll try TDK again and also look into the other links. (I hope some are aimed towards the tech challenged as most are over my head).
    Thanks again!


    Have a GREAT Day/Night!

    ff

    :cool:
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    FukenFooser 007.5,

    Were you running a web server? If so, that explains Blackcode's result - if not then double-check it by using another online scan site (the FAQ I mentioned includes 3 others).

    You could try a scan with the trial version of F-Prot antivirus to be sure as well as either TDS-3 or TrojanHunter. However, it is quite likely given your other results that your system is clean (note that Hijack This will not show a virus infection and CWShredder is for the CoolWebSearch browser hijacker that adds porn links to your IE favourites and start page).

    Your friend's email may not mean anything here - many email-sending worms spoof the sender address so it is likely he received it from someone else who had your email in their address book (he can verify this by checking the email headers if he still has it - these will always show which server it came from, but interpreting these does require some technical experience).
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Good point, I missed Pigman's statement that he was not running a firewall. In this case he should have received "Closed" results for all his ports rather than "Stealthed" - which in turn suggests that he does still have a firewall running somewhere...
     
  10. FukenFooser 007.5

    FukenFooser 007.5 Registered Member

    Joined:
    Sep 28, 2003
    Posts:
    118
    Location:
    High Mnt West. Idaho
    I don't know what a web server is.
    Please try to explane in an easy to follow way.
    All I do know for sure is that the system is acting funny and My CD-RW won't hold a blank disc in and some other issues are happening like "blue screens" playing unreal03 and the sound keep going like I was still in the game.
    And a lot more than I can type about now.



    THANKS

    ff


    o_O

    :cool:
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A web server delivers web pages. So when you visit a website, your browser sends a request to its web server for a page - the server responds with the page contents. Windows 9x/ME had the option of "Personal Web Server" while Windows 2000/XP included IIS (Internet Information Services).

    To see if you have these installed, go to Start Menu/Settings/Control Panel/Add-Remove Programs and check the Windows Components section (this will vary depending on what version of Windows you have, so now would be a good time to say which one you are using). This will list the components available with a ticked box beside those currently installed - if an entry for Personal Web Server/IIS is ticked then clear it and click OK or Next.

    As for your other problems, you did say that you had run AntiVir and AVG6.0 - did you use them to scan your whole disk? If not then please do so. Blue screens are not unusual if you are running Windows 98/ME but if they happen with a single application, then check the writer's website for an update (and for a game, make sure you are using the latest drivers for your graphics card).
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    When you browse a web site you are connecting to a web server, usually on port 80. A web server is a program designed to serve browsers some kind of content (web pages, files, etc) when you connect to it. Blackcode is telling you that you have some program running on your system that is accepting connections on your port 80. It may be a web server or it be some malware using port 80 as its default port for incoming connections. You need to identify what applications on your system are holding ports open for incoming connections. Port Explorer (http://www.diamondcs.com.au/portexplorer/) or TCPView (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will both do the job.

    You could also try typing http://127.0.0.1/ in your browser's address bar, hit enter, and see what happens.

    Nick
     
    Last edited: Jun 4, 2004
  13. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Well, I had my personal web server or whatever you call it running. Now it is uninstalled, port 80 is closed, and I am off to look for a firewall that doesn't disagree with my computer...
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Glad to hear the problem had a simple cause in your case Pigman. If you are uninstalling ZoneAlarm you may find the instructions on this page useful.
     
  15. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Thanks. The ZA components in C:\Windows\System hadn't been gotten rid of, and that seems to have been causing a few problems. I wish that the installer mentioned that files would be installed to the System folder...
     
  16. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Grrr! I cannot believe it!

    When I turned off my personal web server, all the online port scanners registered port 80 as closed. Now they all list it as wide open, even though the personal web server is still off! What's going on? Do I have a trojan or something?

    (Btw, every single other port is still stealthed.)

    Edit: If I do have a trojan, the trial version of Trojan Hunter refuses to find it.
     
    Last edited: Jun 5, 2004
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Try using one of the utilities Nick S mentioned to find out which program is opening port 80. If you are using a firewall, this may supply the information also (e.g. Outpost will list it in its Open Ports section).
     
  18. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Okay, will download TCPView. (Couldn't figure out how to see what was there with Port Explorer.) When I try to go to http://127.0.0.1/, FireFox tells me, "The connection was refused when attempting to contact 127.0.0.1."

    Edit: Couldn't figure out how to do it with TCPView either. I'm such a n00b... :rolleyes:
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    With TCPView, you should get information like this screenshot. Check the Local Address column for an entry for port 80 (i.e. your_machine_name:80) and, if present, check the corresponding Process column to find the process name and number.
     
  20. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Ah. Thanks.

    Edit: There are 2 strings of 4 numbers (they look like IP addresses) that end with ":80".

    Wait a minute, now there's only one. The other must have disappeared while I was typing. Anyway the one that's still there is - whoops, also disappeared.

    Nothing else ended with ":80".
     
  21. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Try running TCPView with Show Unconnected Endpoints enabled under Options. Then go to File, Save As, and save what you are seeing as a text file. Copy and paste the text into a post so we can see what TCPView is showing you. Or you can do a screenshot.

    Nick
     
  22. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    That option is enabled by default.

    Here is my log. Yeah, I know it only shows 2 things:

    TCP [my name]-s-ibm300pl:1188 localhost:1187 TIME_WAIT
    TCP 192.168.2.9:1242 64.91.226.241:80 TIME_WAIT

    I edited this because you don't need to know who I to figure this out - if you don't already know who I am. (A moderator would know my IP address, IIRC.) ;)
     
  23. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    That is an outbound connection to this site in the process of closing.
    Outbound connections to remote service/port 80 (HTTP) are a part of normal web surfing.

    Regards,

    CrazyM
     
  24. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Could your router/gateway be forwarding inbound requests to port 80 on another pc in your LAN? Your TCPView output shows no process holding port 80 open.

    Nick
     
  25. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    That is probably it. Thanks.
     
Loading...
Thread Status:
Not open for further replies.