Odd situation: Port 80 open

Discussion in 'other firewalls' started by m00nbl00d, Dec 23, 2010.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    An odd situation is happening with a relative. This relative has Windows Vista SP2, fully patched. The firewall is Windows own, with all inbound traffic blocked, unless permitted.

    Yesterday, I upgraded Microsoft Security Essentials to the newest version, and as always, among other stuff, I ran ShieldsUP to verify Windows Firewall.

    It reported port 80 as being open. I checked the firewall settings, and there's nothing that could be causing this. I even restored the default settings and applied new ones; same thing happens.

    Just as a test, I connected this Internet service (USB 3G device) to my own system, and to my surprise it also reported port 80 as being open.

    Obviously, with my own connection everything is OK.

    This leaves me to believe something is wrong with the ISP? I asked at a local forum if someone else, using this same service, could report the same, but one user, so far, says all is OK.

    I don't know if the ISP provides this sort of protection on a per-user basis, for this 3G service? It beats me.

    I do know that it's common practice for ISPs to block inbound access to port 80, specially to prevent users from running their own web servers.

    I don't know for how long this situation has been happening to my relative. :(

    But, this all situation is leaving me confused. Why is it reporting port 80 is open on both systems, when in my system, with my own connection all is fine?

    Makes any sense to you?

    Also, ISP aside, shouldn't Windows Firewall be stealthing this port? I must say that in my system, my firewall rules (Windows Firewall as well) are way more restricted.
    By the way, I also checked with PCFlank, same deal.

    It would be nice to have some feedback, because... well, this is leaving me confused... lol
     
  2. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Is your device allowing remote controls via http? That or telnet/ssh are what often show up here ahead of the firewall.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You'll not believe this... but, I decided to place back the predefined rules... guess what? Everything is stealthed... lol

    So, the problem is that I had removed some rules from the firewall? lol This device really works differently from mine. LOL

    Now, I just need to find out what the heck is the culprit rule. :D

    Go figure!

    Thanks for your feedback
     
  4. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    267
    Location:
    Philippines
    Maybe instead of allowing connections to a remote HTTP port, you've accidentally allowed it locally?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    No.

    Regarding outbound rules, I still couldn't make this relative use outbound protection, provided by Windows firewall. It's one step at a time. ;)

    (Hopefully, I'll advise to move towards Windows 7 Ultimate.)

    But, I did remove unneeded (So I thought!) rules from both predefined inbound and outbound rules. The rules regard network discovery for domain and private networks. Considering that my relative's system is not part of any, I just disabled those rules. Just like I did with mine and one other relative. It just seems that the device in cause needs one or more of these rules to be enabled; I still haven't tried to figure out which, I'm tired for today.

    How this would affect inbound traffic for port 80... it beats me.

    Crazy... I was trying to find what rule(s) I had to disable... if any... when it was the opposite situation. :D

    This device does make use of a few processes and connections, though.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Here we are again...

    Moments ago, I noticed the same behavior. But, my relative is using a different 3G connection device, also by Vodafone. If I'm not mistaken, it's a ZTE K3765-Z.

    Port 80 is revealed as being opened. Even with a strict rule blocking inbound traffic to port 80.

    I can only assume this is something happening on the ISP side... Otherwise, why would GRC/other detect port 80 as being opened?

    My relative is not making use of Windows Firewall with Advanced Security, so I messed around and enabled audit events.

    I noticed that the device's main process communicates to this IP... Not sure why, but it's certainly not needed, and I've blocked communication from it to any remote port, under protocol TCP. Only communication to protocol UDP is allowed, and it's working fine... so... phoning home? :doubt: What for o_O :ouch:

    I really need to put my hands on this system, though. My relative's system is not of my liking... I mean, I won't waste my time figuring out what's wrong with it... what may be nesting there. So, if I put my hands on it, and give a little guidance (along side some terror stories... lol), I'm sure things will run fine, hopefully. If something is nesting there, anyway. lol

    But, my relative should get in touch with the ISP and ask what the communication to that IP is all about...

    I may even suggest my relative to end with the service, because for what I was told, Internet connection speed isn't what my relative is paying for... so, they're not keeping their part of the deal... I'm pretty sure it lost any legal validity.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Some ISP provided DSL modems are configured to allow remote administration using port 80. The last one my ISP supplied did. Depending on the particular modem and ISP involved, you might be able to view (but not alter) the settings without the modems password. With a little effort, you can probably search out the default passwords for different ISPs and their modems, then turn it off yourself.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I wasn't aware of that... So, if that's the case, then I'll tell my relative to the send an e-mail to the ISP technical support and ask how to do it. I'll search about it... but, I'd like to know what they'll say... also about the phoning home situation (port 443, not 80).

    Thanks for your feedback. :)
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Regarding ISP supplied modems and open ports, I've had 4 different ones in the last 5 years or so. In addition to the remote HTTP and Telnet ports than can be closed in the configuration, each has also had another port open, above 20,000. The exact port number was different on each modem. There were no configuration options to close it that I could find. It was not mentioned in any of the documentation that I had accesss to. It seems to be set in the firmware.

    There used to be an online scanner similar to Shields Up that could scan all the ports in blocks of 2500 ports at a time, but I can't find it any more.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Most ISPs do have remote administration enabled on their equipment and most likelly will not want to disable it. They use that access to change configurations, troubleshooting, rebooting the modem, upgrade firmware, etc. Unfortunately for us, their passwords are known. I question their use of port 80 (and 443?), unless they chose these specifically to prevent their users from running a server on the usual ports.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello there,

    Thanks for all your feedback so far! :)

    I investigated things a bit further, and not only is the ISP making such connections to ports 80 and 443, but also to port 137... WTF o_O

    Windows Firewall was completely overwhelmed by it. 100% blind to such communications, even with a strict rule blocking communication to the Netbios trio.

    I enabled audit events, and also saw a connection to this IP -https://secure.dshield.org/ipinfo.html?ip=66.35.45.158

    Suspicious. Also port 137. Even more suspicious... Shouldn't be happening to start with. Not in a direct Internet connection.

    OK, time to scan for malware. SUPERAntispyware found one infection. By the way, Internet connection was slow... completely. Updating Malwarebytes would take 30 minutes!! After SUPERAntispyware removed the threat, then things got better, making MBAM update just fine.

    But, overall it's plainfully slow. It wasn't like that.

    But, nothing would detect anything else.

    Time for anti-rootkits. A tool by the same author of GMER, aswMBR found unknown MBR code and GeeksToGo tool MBRCheck provided a message about Windows 2008 MBR.

    It's Windows Vista.

    I won't be wasting my time on this useless hunt, though. I've less my relative know that I'm willing to nuke the hard disk and reinstall all clean, and advise to get an external hard disk for backups. More than that I won't do, nor can I force anyone to anything.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ m00nbl00d

    Ooh worse than you thought & that was concerning ehough ! And been going on since at least December 23rd, 2010 :eek:

    What nasty did you find ? Maybe they should change their PW's etc :thumb:
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't think that the situation I mentioned in last December is connected to this one now. But, since I also spotted port 80 open, it made sense to mention it here as well. Back then, after restoring Windows Vista firewall to its default settings, then port 80 was being reported as being closed (stealthed, actually).

    As I explained, my relative is using a new 3G usb device, from the same ISP (Vodafone).

    It's this device that's making all the connections I mentioned, including to the ISP, via ports 80, 443 and 137. I could understand the connections to ports 80 and 443, but not to port 137.

    Regarding the infections, I performed scans with Malwarebytes, which as I mentioned, took like 30 minutes to update, but found nothing.

    I decided to install SUPERAntispyware 5, updated it (it updated normally, for what I could tell) and then performed a full scan. It reported an infection, which right now I don't recall what it was. But, after removing it and rebooting the system, as required by SAS, a few hours later (after checking other stuff), I looked for new updates for Malwarebytes, and it updated just fine. I had tried to update MBAM quite a few times before, but it would take way too much, and I always gave up. So, I doubt it was a problem with their servers. I actually remember that sometime ago I noticed the same issue, but I just thought it was a problem on their side. Most likely this was already a symptom, and I just didn't connect things. :(

    HMP found nothing. MSE found nothing. Spybot found nothing. The only anti-rookits spotting problems were aswMBR (same author as Gmer) and MBRCheck (by GeeksToGo). By the way, it would take like for ever to update Spybot. I could update it fine in other systems, so one more symptom that something was clearly wrong.

    I did find a strange behavior by Prevx SafeOnline. From time to time I noticed that its icon would become red, meaning an infection was found. But, whenever I opened the UI, and performed a scan, it never reported anything. But, it happened a few times... so clearly something was wrong...

    One thing I'm sure, if the rootkit is concealing malware to steal credentials, it wasn't able to do it so, because my relative didn't spot anything wrong with the monthly bank reports about account movements. If, in fact, something trying to steal credentials, then Prevx SafeOnline prevented it.

    Most likely my relative got the system infected when connected to other networks.

    Unfortunately, I never could deploy a real proper security in that system, but I hope these events has opened my relative's eyes, and that sometimes we need to take away a little convenience for the sake of security. I mean, I'm talking about someone who thinks disabling autorun and opening My Computer to open USB devices a total waste of time. :ouch:

    I placed a note on top of my relative's laptop explaining that I found a rootkit, and what a rootkit is and how dangerous it is, and that the only way to be really sure that everything gets clean, is to simply nuke the hard disk. And, that it's better be safe and sorry.

    I did warn not to access bank account and other sensitive web sites. I also warned only to perform searches on the net, but to be the less possible connected to the Internet, if it is a must.

    I also told my relative (on the note) to open PeerBlock, which I've set to block the communications that Windows firewall fails to block. I couldn't spot more connections than those I mentioned before. So, if my relative decides to use the Internet, then PeerBlock will block those comms. Not the most elegant solution, I'm aware, but it would be far worse not to block nothing, at all.

    I'm hoping to get an answer later on. More than this I can't do. There's no law allowing me to take control of the laptop to nuke it. :(
     
    Last edited: May 9, 2011
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ m00nbl00d

    Thanks for the detailed update :thumb: If you do get an answer later on, let us know the outcome :)
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623

    Unfortunately, I'm unable to do it so, as my relative took the laptop to the computer shop where it was bought... Didn't want to wait until I got out of bed... o_O

    The curious thing... I'd have it ready yesterday (it's already a new day here). Humans... :argh:

    I got a strong feeling that I'll have to put my hands on it, though... I'm feeling a standard format was the chosen option, as it will return tomorrow.

    That won't suffice with rootkits. I just might run some antirootkit tool, and tell my relative: See... a rootkit... Still here... See? :isay:
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thanks for the update, sort of :p

    Yeah that should scare the pants off them :D
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Unfortunately, I couldn't scare off my relative... :mad: I guess I wasn't looking too serious. :ouch:

    The damn morons from the computer shop gave the laptop only with an administrator account, dangerous services enabled, remote access, etc... :argh:

    I couldn't make my relative use a standard user account. :( So, I set UAC to maximum, placed IE9 under EMET, as well as Adobe Reader X. Added SpywareBlaster, Spybot, Prevx SOL and AVG LinkScanner.

    I'd like a standard user account, though. :(

    But, aswMBR doesn't detect unknown MBR code anymore.

    However!!, I still see NetBIOS traffic happening. This time, I also caught a communication to Microsoft, via port 138.

    Is this a normal behavior o_O Not to mention the abusive ISP communications.

    GRC still detects port 80 as being opened, but the firewall blocks incoming comms properly, for what I could see.
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Do they actually need NetBIOS ? I've disabled it ;) And i don't have ANY issues ;) If you'ld like to know how, just ask :)

    MS & other vendors are sneaky :thumbd: Was it for Updates though ?
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, NetBIOS is needed.

    I didn't pay attention whether or not Microsoft's connection was related to Windows Update, but Windows was updating, so it could be related. But, why using NetBIOS for that? o_O

    I finally managed to block outgoing traffic related to NetBIOS. At least, believing Audit Events.

    I never experienced such, because I have NetBIOS disabled. I wonder if someone noticed these communications to Microsoft before? :ninja:

    Anyway, these events tell me to stay the hell away from Vodafone as well. I don't like the holes they create.
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Originally Posted by m00nbl00d

    Maybe ?

    Or anything else :(

    How ?

    ;)

    Be nice to hear :thumb:

    Ooh, do they :eek: Such as ?

    You might be intereted in taking a look at Patriot_NG - https://www.wilderssecurity.com/showthread.php?p=1871485#post1871485 - Amongst other things it does is this, from the PDF

    pat.gif
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    To have Windows firewall block outgoing NetBIOS traffic, I tried a really desparate :rolleyes: solution - Removed the network profile, and re-applied it. :D

    As for the holes Vodafone creates... well... outgoing comms to port 80 and 443... For starters, why the heck would need it? In one of the comms I monitored they went to an IP that's reported at DShield. Not to mention comms to NetBIOS! Bloody hell!

    Enough holes for me...

    Regarding the app you mentioned, I don't think that's something I'd install to relatives... Alerts... I don't personally know much about it either, yet.

    But, I think I thought of a nice approach to scare the hell away from my relative!

    I'm going to gather some easy to understand info regarding Spyeye, Zeus, etc... (My relative accesses bank account using the Internet, hence my concern since the beginning... :(), and will send it to my relative's e-mail! Something to read, for sure will be better than trying to explain at live what to say. Things never come as we expect!! :blink:

    It's going to be my last attempt. I really don't like thinking my relative is using an administrator account (UAC is on, but still...). :mad:
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Originally Posted by m00nbl00d

    Amazing ! Wonder why that should block it ?

    Indeed :thumbd:

    Don't blame you :D
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Possibly related to lmhosts.

    If you need netbios enabled on you home LAN, then place rules in your firewall to restrict netbios to your LAN IP range only.


    - Stem
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello there!

    I'm not part of any network. I have NetBIOS disabled.

    But, a relative of mine does connect to third-party networks (I think it's needed to share docs...). So, NetBIOS is needed.

    You were right, it was related to lmhosts. It turns out, the device also had NetBIOS enabled! This new models also seem to allow networking, at least judging by all the configuration options that are available. Mine doesn't, so I never really bothered looking into all that stuff.

    I've disabled it, because there is no need for it to be enabled. I wonder why it comes enabled by default, though. My guess is that 99% of users buying these type of devices aren't looking for networking, but a mobile Internet connection.

    But, this still doesn't explain why Vodafone was connecting out (to the Internet) using NetBIOS. :thumbd:

    Anyway, thanks for tip!
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Out of curiosity, I decided to perform a few scans in my relative's laptop. I was going to update MBAM and SAS, and it would take a hell of a time to download the updates (more than 30 minutes!). Where have I seen this before? :rolleyes:

    Downloading a small file (~300KB) would take like 5 minutes or so.

    To clarify any doubts, we're dealing with a superior Internet connectivity to mine. And, right now, I'm on 128 kbps, until next month. :argh:

    And, I can say with 100% certaintity that, side by side, I'm on a super speedy Internet connection!

    So, I installed Wireshark. Yes, the new version works with the Vodafone device. This device is detected as an Ethernet adapter and not PPP.

    I started capturing, and updated MBAM. Painfully slow, and I didn't finish the update, of course. :isay:

    I noticed outside connections to local port 445... such as this one:

    Code:
    298	190.737440	213.109.230.253	Relative's_IP TCP	4476 > microsoft-ds [SYN] Seq=0 Win=65535 Len=0 MSS=1420 SACK_PERM=1
    I'm still new on this Wireshark thing, but Windows firewall logs have no record of this IP. This means that Windows firewall cannot even see such traffic!

    -https://secure.dshield.org/ipinfo.html?ip=213.109.230.253

    Not that friendly, uh?

    I've seen more connections such as that one, from other IPs as well. All undetected by Windows firewall.

    So... time to slap my relative's face to finally wake the hell up, and allow me to do my thing? :isay:

    Seriously... lol Either some woke up... and something else arrived. Maybe a bit of both. :D
     
Loading...
Thread Status:
Not open for further replies.