Port 80 OPEN!!!!!

Discussion in 'Computer Security' started by Richard H, Aug 14, 2003.

  1. Richard H

    Richard H Guest

    Hi all security experts!
    I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and blackICE
    IDS. I am behind a Belkin Gateway Router with NAT and firewall enabled.
    When I run a Shields UP 'common ports scan', port 80 is found to be open!
    A few months ago, when I last checked, all ports were stealthed.
    A virus/trojan scan with AVP 3.5, Sophos AV 3.72, Inoculate IT 4.5, eSafe
    AV, F-Prot for DOS, TDS-3, The Cleaner and Trend Housecall all show
    negative results.
    Inspection of all running processes, msconfig startup, and autoexec.bat
    contents show nothing suspicious.
    I have uninstalled personal web server.
    The Kerio Firewall Status and ‘netstat –an’ show no suspicious connections.
    (see below)

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
    TCP 169.254.246.190:137 0.0.0.0:0 LISTENING
    TCP 169.254.246.190:138 0.0.0.0:0 LISTENING
    TCP 169.254.246.190:139 0.0.0.0:0 LISTENING
    TCP 192.168.2.2:137 0.0.0.0:0 LISTENING
    TCP 192.168.2.2:138 0.0.0.0:0 LISTENING
    TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:44334 *:*
    UDP 169.254.246.190:137 *:*
    UDP 169.254.246.190:138 *:*
    UDP 192.168.2.2:137 *:*
    UDP 192.168.2.2:138 *:*

    Remote administration and DMZ is disabled on my router.

    A spyware check with AdAware and SpyBot S&D (all updated) shows no spyware
    infestation.

    What could be causing port 80 to be open, and how could I stealth it?

    Thanks in advance.

    Richard
    Richard H, Aug 14, 2003
    #1
    1. Advertising

  2. Richard H

    Lord Shaolin Guest

    Richard H <> randomly produced:

    :: Hi all security experts!
    :: I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and
    :: blackICE IDS. I am behind a Belkin Gateway Router with NAT and
    :: firewall enabled. When I run a Shields UP 'common ports scan', port

    It's probably port 80 on your router (remote admin).

    When you run external scans against yourself you are running them against
    your router (Your public IP address)

    Not against your actual PC.

    I can confirm your port 80 is showing as open but I'm unable to connect to
    it.

    Cheers

    ST

    --


    ..: http://www.security-forums.com :.

    Share your knowledge
    It's a way to achieve
    Immortality.
    Lord Shaolin, Aug 14, 2003
    #2
    1. Advertising

  3. Richard H

    Jim Watt Guest

    On Thu, 14 Aug 2003 17:47:43 +0100, Richard H <> wrote:

    >Hi all security experts!
    >I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and blackICE
    >IDS. I am behind a Belkin Gateway Router with NAT and firewall enabled.
    >When I run a Shields UP 'common ports scan', port 80 is found to be open!
    >A few months ago, when I last checked, all ports were stealthed.
    >A virus/trojan scan with AVP 3.5, Sophos AV 3.72, Inoculate IT 4.5, eSafe
    >AV, F-Prot for DOS, TDS-3, The Cleaner and Trend Housecall all show
    >negative results.
    >Inspection of all running processes, msconfig startup, and autoexec.bat
    >contents show nothing suspicious.
    >I have uninstalled personal web server.
    >The Kerio Firewall Status and ‘netstat –an’ show no suspicious connections.
    >(see below)
    >
    >Active Connections
    >
    > Proto Local Address Foreign Address State
    > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    > TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
    > TCP 169.254.246.190:137 0.0.0.0:0 LISTENING
    > TCP 169.254.246.190:138 0.0.0.0:0 LISTENING
    > TCP 169.254.246.190:139 0.0.0.0:0 LISTENING
    > TCP 192.168.2.2:137 0.0.0.0:0 LISTENING
    > TCP 192.168.2.2:138 0.0.0.0:0 LISTENING
    > TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
    > UDP 0.0.0.0:44334 *:*
    > UDP 169.254.246.190:137 *:*
    > UDP 169.254.246.190:138 *:*
    > UDP 192.168.2.2:137 *:*
    > UDP 192.168.2.2:138 *:*
    >
    >Remote administration and DMZ is disabled on my router.
    >
    >A spyware check with AdAware and SpyBot S&D (all updated) shows no spyware
    >infestation.
    >
    >What could be causing port 80 to be open, and how could I stealth it?
    >
    >Thanks in advance.
    >
    >Richard


    most home routers have web administration which means they use
    port 80 which is the default web server port.

    On some you can specify that port 80 is only open to your local
    network. This is generally a good idea and prevents anyone from
    the internet administering your router.

    It may be that that is the way yours is already configured if an
    external scan does not show the port as being open.

    Connect to it and see what it says. Then read your router manual
    carefully.
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Aug 14, 2003
    #3
  4. Richard H

    Richard H Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1


    "Jim Watt" <> wrote in message
    news:...
    > On Thu, 14 Aug 2003 17:47:43 +0100, Richard H <> wrote:
    >
    > >Hi all security experts!
    > >I have a Win98SE machine running Kerio Personal Firewall 2.1.5 and

    blackICE
    > >IDS. I am behind a Belkin Gateway Router with NAT and firewall enabled.
    > >When I run a Shields UP 'common ports scan', port 80 is found to be open!
    > >A few months ago, when I last checked, all ports were stealthed.
    > >A virus/trojan scan with AVP 3.5, Sophos AV 3.72, Inoculate IT 4.5, eSafe
    > >AV, F-Prot for DOS, TDS-3, The Cleaner and Trend Housecall all show
    > >negative results.
    > >Inspection of all running processes, msconfig startup, and autoexec.bat
    > >contents show nothing suspicious.
    > >I have uninstalled personal web server.
    > >The Kerio Firewall Status and 'netstat -an' show no suspicious

    connections.
    > >(see below)
    > >
    > >Active Connections
    > >
    > > Proto Local Address Foreign Address State
    > > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    > > TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
    > > TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
    > > TCP 169.254.246.190:137 0.0.0.0:0 LISTENING
    > > TCP 169.254.246.190:138 0.0.0.0:0 LISTENING
    > > TCP 169.254.246.190:139 0.0.0.0:0 LISTENING
    > > TCP 192.168.2.2:137 0.0.0.0:0 LISTENING
    > > TCP 192.168.2.2:138 0.0.0.0:0 LISTENING
    > > TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
    > > UDP 0.0.0.0:44334 *:*
    > > UDP 169.254.246.190:137 *:*
    > > UDP 169.254.246.190:138 *:*
    > > UDP 192.168.2.2:137 *:*
    > > UDP 192.168.2.2:138 *:*
    > >
    > >Remote administration and DMZ is disabled on my router.
    > >
    > >A spyware check with AdAware and SpyBot S&D (all updated) shows no

    spyware
    > >infestation.
    > >
    > >What could be causing port 80 to be open, and how could I stealth it?
    > >
    > >Thanks in advance.
    > >
    > >Richard

    >
    > most home routers have web administration which means they use
    > port 80 which is the default web server port.
    >
    > On some you can specify that port 80 is only open to your local
    > network. This is generally a good idea and prevents anyone from
    > the internet administering your router.
    >
    > It may be that that is the way yours is already configured if an
    > external scan does not show the port as being open.
    >
    > Connect to it and see what it says. Then read your router manual
    > carefully.
    > --
    > Jim Watt http://www.gibnet.com


    What worrys me is that last time when i ran Shields UP (a few months ago)
    all ports were stealthed.

    Remote/web administration is disabled on my router, and Shields UP still
    reports port80 as open.
    Could someone have hacked into my router and changed the settings so it
    looks to me that remote admin is disabled, but really it is enabled?
    The router settings are protected by a non-default password, and i have
    never enabled remote administation before.
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPzzD0iYncAS5ivfOEQK6VgCfR3D8Hw0q7ZZbLLRj87MN3Y8vp+IAnRP6
    RQodoAGJDzEh2hmWR+4yMA6+
    =XFUi
    -----END PGP SIGNATURE-----
    Richard H, Aug 15, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Weiguang Shi
    Replies:
    1
    Views:
    4,408
  2. Jon Whitear
    Replies:
    2
    Views:
    2,248
    Jon Whitear
    Nov 4, 2003
  3. Dmitry
    Replies:
    0
    Views:
    3,557
    Dmitry
    Apr 1, 2004
  4. Link
    Replies:
    1
    Views:
    427
    Walter Roberson
    May 9, 2004
  5. Neil Armstrong
    Replies:
    3
    Views:
    17,966
    Bill Sanderson
    Sep 18, 2003
Loading...

Share This Page