Port 80 listening without WebServer?

Discussion in 'other firewalls' started by hacinn, Jun 29, 2004.

Thread Status:
Not open for further replies.
  1. hacinn

    hacinn Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    6
    Hi,

    I have a RedHat/Conectiva 8 and i runned nessus and i received the follow message:

    Security Note: Port: www-http ( tcp/80)

    But i don't a web server running. I runned the chkrootkit and it doesn't find nothing. The same to Clamav, that doesn't find nothing. The netstat -anp doesn't show port 80 too. But when i run the nmap from other computer, the port 80 is listening.

    Anyone can help me?

    Thanks
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Can you clarify your network and server setup for us? Is nessus installed on the target server itself or another? Is the 'other computer' that ran the nmap scan on the same segment of a LAN, or is there a router, firewall or other device between the scanning computer and the target? (I'm wondering if such a device between is actually intercepting the TCP port 80 requests, since you say a local netstat on the server isn't showing anything on that port.) Just some clarifications to better understand your specific situation.
     
  3. hacinn

    hacinn Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    6
    Thanks by help, i'm run the nessus and nmap on different machine of the target host. The test is by internet and there is a adsl-router between me and target.
    I runned the same test on ip adsl-router and the result was egual host result. In both the port 80 is open. I test others hosts with adsl-router connection and the result was equal., with exception the port is filtered and not open state.

    I'm safe?

    Thanks, sorry by my poor english.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    That router may very well have an HTTP based management interface... It may be listening on TCP Port 80 for connections into it's configuration screen (webpage). The scans you are doing are likely stopped at that router, and are not even reaching your systems inside your network.

    What you need to do is look at all the documentation for the adsl-router, especially for the management interface (browser based configuration options, or some such) and see if it is listening on TCP port 80 and if it is, and you never use that option, then see if it can be disabled completely. If you don't use it, you don't want people trying to break into your router's control menu from the Internet, that is for sure.
     
  5. hacinn

    hacinn Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    6
    But the router and host has a valid internet IP. I access the host behind router.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    I'm sorry, I don't understand the significance of this statement... I would think and agree that your router would have a valid, ISP assigned public IP address. That is normal.

    The key issue here is to determine if the router is holding TCP port 80 open to the Internet. You say a scan was done from outside your network (out on the Internet some where) and that TCP port 80 was seen as open, yet the host server does not have anything listening on that port. So, the place to look is at the router itself. Many routers do indeed use TCP port 80 as a management interface, so you need to check for that to see if that is the case in your situation.


    Clearly language is separating us here and keeping us from understanding each other. Above you said...


    The last part of this tells me that you scanned the public IP address of the router itself, from some place on the Internet, and it showed TCP port 80 open. That's what I based my assumption on, as far as the router holding the port open itself.

    Can you check your router and its documentation and see if the configuration does work by way of TCP port 80? Or in fact, another possibility is that something else is responding to those access attempts - could the port "be forwarded" to another host? Could the ISP be intercepting it?
     
Loading...
Thread Status:
Not open for further replies.