Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Port 80 OPEN!!!!!

Reply
Thread Tools

Port 80 OPEN!!!!!

 
 
Richard H
Guest
Posts: n/a
 
      08-14-2003
Hi all security experts!
I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and blackICE
IDS. I am behind a Belkin Gateway Router with NAT and firewall enabled.
When I run a Shields UP 'common ports scan', port 80 is found to be open!
A few months ago, when I last checked, all ports were stealthed.
A virus/trojan scan with AVP 3.5, Sophos AV 3.72, Inoculate IT 4.5, eSafe
AV, F-Prot for DOS, TDS-3, The Cleaner and Trend Housecall all show
negative results.
Inspection of all running processes, msconfig startup, and autoexec.bat
contents show nothing suspicious.
I have uninstalled personal web server.
The Kerio Firewall Status and ‘netstat –an’ show no suspicious connections.
(see below)

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
TCP 169.254.246.190:137 0.0.0.0:0 LISTENING
TCP 169.254.246.190:138 0.0.0.0:0 LISTENING
TCP 169.254.246.190:139 0.0.0.0:0 LISTENING
TCP 192.168.2.2:137 0.0.0.0:0 LISTENING
TCP 192.168.2.2:138 0.0.0.0:0 LISTENING
TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:44334 *:*
UDP 169.254.246.190:137 *:*
UDP 169.254.246.190:138 *:*
UDP 192.168.2.2:137 *:*
UDP 192.168.2.2:138 *:*

Remote administration and DMZ is disabled on my router.

A spyware check with AdAware and SpyBot S&D (all updated) shows no spyware
infestation.

What could be causing port 80 to be open, and how could I stealth it?

Thanks in advance.

Richard
 
Reply With Quote
 
 
 
 
Lord Shaolin
Guest
Posts: n/a
 
      08-14-2003
Richard H <(E-Mail Removed)> randomly produced:

:: Hi all security experts!
:: I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and
:: blackICE IDS. I am behind a Belkin Gateway Router with NAT and
:: firewall enabled. When I run a Shields UP 'common ports scan', port

It's probably port 80 on your router (remote admin).

When you run external scans against yourself you are running them against
your router (Your public IP address)

Not against your actual PC.

I can confirm your port 80 is showing as open but I'm unable to connect to
it.

Cheers

ST

--


..: http://www.security-forums.com :.

Share your knowledge
It's a way to achieve
Immortality.


 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      08-14-2003
On Thu, 14 Aug 2003 17:47:43 +0100, Richard H <(E-Mail Removed)> wrote:

>Hi all security experts!
>I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and blackICE
>IDS. I am behind a Belkin Gateway Router with NAT and firewall enabled.
>When I run a Shields UP 'common ports scan', port 80 is found to be open!
>A few months ago, when I last checked, all ports were stealthed.
>A virus/trojan scan with AVP 3.5, Sophos AV 3.72, Inoculate IT 4.5, eSafe
>AV, F-Prot for DOS, TDS-3, The Cleaner and Trend Housecall all show
>negative results.
>Inspection of all running processes, msconfig startup, and autoexec.bat
>contents show nothing suspicious.
>I have uninstalled personal web server.
>The Kerio Firewall Status and netstat an show no suspicious connections.
>(see below)
>
>Active Connections
>
> Proto Local Address Foreign Address State
> TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
> TCP 169.254.246.190:137 0.0.0.0:0 LISTENING
> TCP 169.254.246.190:138 0.0.0.0:0 LISTENING
> TCP 169.254.246.190:139 0.0.0.0:0 LISTENING
> TCP 192.168.2.2:137 0.0.0.0:0 LISTENING
> TCP 192.168.2.2:138 0.0.0.0:0 LISTENING
> TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
> UDP 0.0.0.0:44334 *:*
> UDP 169.254.246.190:137 *:*
> UDP 169.254.246.190:138 *:*
> UDP 192.168.2.2:137 *:*
> UDP 192.168.2.2:138 *:*
>
>Remote administration and DMZ is disabled on my router.
>
>A spyware check with AdAware and SpyBot S&D (all updated) shows no spyware
>infestation.
>
>What could be causing port 80 to be open, and how could I stealth it?
>
>Thanks in advance.
>
>Richard


most home routers have web administration which means they use
port 80 which is the default web server port.

On some you can specify that port 80 is only open to your local
network. This is generally a good idea and prevents anyone from
the internet administering your router.

It may be that that is the way yours is already configured if an
external scan does not show the port as being open.

Connect to it and see what it says. Then read your router manual
carefully.
--
Jim Watt http://www.gibnet.com
 
Reply With Quote
 
Richard H
Guest
Posts: n/a
 
      08-15-2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


"Jim Watt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 14 Aug 2003 17:47:43 +0100, Richard H <(E-Mail Removed)> wrote:
>
> >Hi all security experts!
> >I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and

blackICE
> >IDS. I am behind a Belkin Gateway Router with NAT and firewall enabled.
> >When I run a Shields UP 'common ports scan', port 80 is found to be open!
> >A few months ago, when I last checked, all ports were stealthed.
> >A virus/trojan scan with AVP 3.5, Sophos AV 3.72, Inoculate IT 4.5, eSafe
> >AV, F-Prot for DOS, TDS-3, The Cleaner and Trend Housecall all show
> >negative results.
> >Inspection of all running processes, msconfig startup, and autoexec.bat
> >contents show nothing suspicious.
> >I have uninstalled personal web server.
> >The Kerio Firewall Status and 'netstat -an' show no suspicious

connections.
> >(see below)
> >
> >Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
> > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
> > TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
> > TCP 169.254.246.190:137 0.0.0.0:0 LISTENING
> > TCP 169.254.246.190:138 0.0.0.0:0 LISTENING
> > TCP 169.254.246.190:139 0.0.0.0:0 LISTENING
> > TCP 192.168.2.2:137 0.0.0.0:0 LISTENING
> > TCP 192.168.2.2:138 0.0.0.0:0 LISTENING
> > TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
> > UDP 0.0.0.0:44334 *:*
> > UDP 169.254.246.190:137 *:*
> > UDP 169.254.246.190:138 *:*
> > UDP 192.168.2.2:137 *:*
> > UDP 192.168.2.2:138 *:*
> >
> >Remote administration and DMZ is disabled on my router.
> >
> >A spyware check with AdAware and SpyBot S&D (all updated) shows no

spyware
> >infestation.
> >
> >What could be causing port 80 to be open, and how could I stealth it?
> >
> >Thanks in advance.
> >
> >Richard

>
> most home routers have web administration which means they use
> port 80 which is the default web server port.
>
> On some you can specify that port 80 is only open to your local
> network. This is generally a good idea and prevents anyone from
> the internet administering your router.
>
> It may be that that is the way yours is already configured if an
> external scan does not show the port as being open.
>
> Connect to it and see what it says. Then read your router manual
> carefully.
> --
> Jim Watt http://www.gibnet.com


What worrys me is that last time when i ran Shields UP (a few months ago)
all ports were stealthed.

Remote/web administration is disabled on my router, and Shields UP still
reports port80 as open.
Could someone have hacked into my router and changed the settings so it
looks to me that remote admin is disabled, but really it is enabled?
The router settings are protected by a non-default password, and i have
never enabled remote administation before.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzzD0iYncAS5ivfOEQK6VgCfR3D8Hw0q7ZZbLLRj87MN3Y 8vp+IAnRP6
RQodoAGJDzEh2hmWR+4yMA6+
=XFUi
-----END PGP SIGNATURE-----


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Overhead of 4-port over 2-port SRAM John T. Goodman VHDL 0 01-25-2005 04:27 PM
4 port ethernet, 1 port broadband Link Cisco 1 05-09-2004 10:41 PM
Port-security on 16-port FastEthernet module (NM-ESW-16) Dmitry Cisco 0 04-01-2004 06:38 PM
Port security on a Catalyst 4000 - fails to shut down port Jon Whitear Cisco 2 11-04-2003 11:01 PM
about "match ip rtp starting-port-number port-range" Weiguang Shi Cisco 1 10-25-2003 07:14 AM



Advertisments