LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-16-2006, 04:15 AM   #1
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Rep: Reputation: 20
nmap shows port 80 open on WAN IP scan.


I'm trying to figure out why nmap shows my port 80open. The only port I've specified to be open/passing traffic on my router is a random ssh port in the 2000 range. Here is a scan of my nix box. And a scan of my WAN IP. Do you think this is normal? I'm assuming the only reason the scan shows port 80 open is because I'm forwarding the port to my laptop/nixbox for the ssh session. Do you think this is normal for port forwarding to have port 80 open? Thanks

Code:
root@nuxbox:/etc# nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:11 EDT
Interesting ports on nuxbox (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
68/tcp   open  dhcpclient
631/tcp  open  ipp
2112/tcp open  kip

Nmap finished: 1 IP address (1 host up) scanned in 0.559 seconds


root@nuxbox:/etc# nmap 67.190.x.x

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:12 EDT
Interesting ports on c-67-190-X-x.hsd1.co.comcast.net (67.190.x.x):
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
80/tcp open  http
 
Old 06-16-2006, 05:52 AM   #2
Sargek
Member
 
Registered: Jan 2003
Location: San Antonio, Texas
Distribution: Debian testing
Posts: 416

Rep: Reputation: 32
Quote:
Originally Posted by NuxIT
I'm trying to figure out why nmap shows my port 80open. The only port I've specified to be open/passing traffic on my router is a random ssh port in the 2000 range. Here is a scan of my nix box. And a scan of my WAN IP. Do you think this is normal? I'm assuming the only reason the scan shows port 80 open is because I'm forwarding the port to my laptop/nixbox for the ssh session. Do you think this is normal for port forwarding to have port 80 open? Thanks

Code:
root@nuxbox:/etc# nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:11 EDT
Interesting ports on nuxbox (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
68/tcp   open  dhcpclient
631/tcp  open  ipp
2112/tcp open  kip

Nmap finished: 1 IP address (1 host up) scanned in 0.559 seconds


root@nuxbox:/etc# nmap 67.190.x.x

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:12 EDT
Interesting ports on c-67-190-X-x.hsd1.co.comcast.net (67.190.x.x):
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
80/tcp open  http

I suppose anything could use port 80, but normally it is used by web servers. Do you have Apache running?
 
Old 06-16-2006, 05:58 AM   #3
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Yeah, I certainly don't have apache running. I'm going to run a little test when I get home. I'll disable my port forwarding on my router and then run another nmap to my WAN IP to see what results I get. I'll let you know. Don't really like the idea of my port 80 being open when I'm not running any sort of web server.
 
Old 06-16-2006, 07:26 AM   #4
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
Quote:
Originally Posted by NuxIT
Don't really like the idea of my port 80 being open when I'm not running any sort of web server.
which router do you have? Maybe the webserver is running on the router.

just a guess...

Regards.
 
Old 06-16-2006, 09:33 AM   #5
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by ~=gr3p=~
which router do you have? Maybe the webserver is running on the router.

just a guess...

Regards.
I have a belkin wireless router with the latest firmware. I disabled the port forwarding and ran another nmap and it still shows port 80 open!! I also don't have any sort of remote router management enabled. I was kinda freaked when I plugged my IP into the browser at home and my wireless router came up!! I'm not sure what's going on here but I don't like it!

I can also telnet to my WAN ip via port 80!!! CRAP!! WTF is going on here. I'm going to turn off this laptop and get online using my windows box and see if my results are the same.
Code:
root@nuxbox:/etc# telnet 67.190.x.x 80
Trying 67.190.x.x...
Connected to 67.190.x.x
Escape character is '^]'.
 
Old 06-16-2006, 10:14 AM   #6
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Well, I just fired up my XP box and I get the same results! I can telnet right onto my WAN ip via port 80!! Crap!

I don't know if it's because somehow my WAN ip translates to my wireless routers assigned gateway LAN address I setup while on my LOCAL LAN? I noticed when I have an active telnet session to my WAN IP I cannot use or connect to my wireless router through a browser. I'm going to try and connect to my WAN IP via port 80 from a remote network to see what my results are. I very well could have an exploited router. While looking at the model # on the back of the router I noticed it shows a different LAN/WAN MAC address then I have listed under my WAN > MAC address on my router? I think it's always been this way. Sure hope I haven't been exploited in some way! My setup has not changed in forever so I'm quite concerned right now. Paranoid user? Yeah, that's me!

Last edited by NuxIT; 06-16-2006 at 10:15 AM.
 
Old 06-16-2006, 08:04 PM   #7
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Well, I'm at work and all my systems at home are off. I tried connecting to my router via port 80 and it doesn't respond. I think something on my home network automatically translates WAN IP address to my Routers LAN GATEWAY which is essentially port 80. i.e. The port I use to connect to my router through my browser. I think this week I'll take that extra step and start running encrypted folders to protect my private data. I used to run encrypted magic folders a long time ago. Anyone run disk encryption software? If so, what do you use?
 
Old 06-16-2006, 10:27 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I think that's likely what you are seeing. Most SOHO routers such as linksys,netgear,dlink have a web interface accessible on the LAN side for configuration. If you're doing the scan from the LAN side, then that's likely the reason. To further confirm, try using one of the free port scan utilities offered by grc or sygate.
 
Old 06-16-2006, 11:32 PM   #9
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Yeah Captain. That's why I wasn't overly concerned. Because when using Shields Up on GRC it shows all ports stealth to the outside world. So, I think I'm good. I'm always so concerned about Firewalls and A/V on my computers that I never stop to think someone might exploit my router. I've had the router for a while and they've never updated the firmware. One thing that kinda concerned me were multiple entries in my routers security log showed:

Tue Jun 6 03:39:54 2006 -WAN DHCP Client Connected IP 67.190.x.x

Don't remember seeing those entries before.
 
Old 06-17-2006, 10:10 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Is that the router grabbing its WAN IP from the ISP? Power cyle the router, leaving it off for a few minutes. Then restart the router and compare the WAN IP it grabs with any corresponding log entries for that time.

Most sane routers don't have any dhcp service accessible from the WAN interface, so unless something is configured improperly, then it sounds unlikely. Make sure to verify your router settings to be sure.
 
Old 06-24-2006, 01:21 AM   #11
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Sorry it took me so long to report back. I now realized that all that nmap scan shows is the port used to manage my router on my LOCAL LAN ONLY!! I was worried when I could telnet to my port 80 on my router locally. I was equally (MORE) concerned when I thought my router was accessible over the internet via the WAN IP. This is not the case! Somehow my WAN IP translates to my local router management address. This is the reason it shows open state. I would imagine most anyone who has a home router would have the same results. Stay secure.. This weeks wig out... Um, Microshafts WGA tool!! Gawd, I wish I wasn't a gamer.. I would be soooo off Win XP!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap shows open kdm muddywaters Linux - Security 3 05-14-2006 10:08 PM
Port Scan (nmap -st) TroelsSmit Linux - Newbie 2 05-22-2004 03:13 PM
nmap shows port 21 open, but no ftp service running ? epoo Linux - Networking 3 12-21-2003 08:16 PM
How can I scan *every* port with nmap? davee Linux - Security 6 12-11-2003 04:44 PM
Using nmap to scan my firewall through WAN proxy slooper Linux - Security 5 12-08-2003 10:41 AM


All times are GMT -5. The time now is 04:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration