LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   nmap shows port 80 open on WAN IP scan. (https://www.linuxquestions.org/questions/linux-security-4/nmap-shows-port-80-open-on-wan-ip-scan-455330/)

NuxIT 06-16-2006 04:15 AM

nmap shows port 80 open on WAN IP scan.
 
I'm trying to figure out why nmap shows my port 80open. The only port I've specified to be open/passing traffic on my router is a random ssh port in the 2000 range. Here is a scan of my nix box. And a scan of my WAN IP. Do you think this is normal? I'm assuming the only reason the scan shows port 80 open is because I'm forwarding the port to my laptop/nixbox for the ssh session. Do you think this is normal for port forwarding to have port 80 open? Thanks

Code:

root@nuxbox:/etc# nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:11 EDT
Interesting ports on nuxbox (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
68/tcp  open  dhcpclient
631/tcp  open  ipp
2112/tcp open  kip

Nmap finished: 1 IP address (1 host up) scanned in 0.559 seconds


root@nuxbox:/etc# nmap 67.190.x.x

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:12 EDT
Interesting ports on c-67-190-X-x.hsd1.co.comcast.net (67.190.x.x):
(The 1662 ports scanned but not shown below are in state: closed)
PORT  STATE SERVICE
80/tcp open  http


Sargek 06-16-2006 05:52 AM

Quote:

Originally Posted by NuxIT
I'm trying to figure out why nmap shows my port 80open. The only port I've specified to be open/passing traffic on my router is a random ssh port in the 2000 range. Here is a scan of my nix box. And a scan of my WAN IP. Do you think this is normal? I'm assuming the only reason the scan shows port 80 open is because I'm forwarding the port to my laptop/nixbox for the ssh session. Do you think this is normal for port forwarding to have port 80 open? Thanks

Code:

root@nuxbox:/etc# nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:11 EDT
Interesting ports on nuxbox (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
68/tcp  open  dhcpclient
631/tcp  open  ipp
2112/tcp open  kip

Nmap finished: 1 IP address (1 host up) scanned in 0.559 seconds


root@nuxbox:/etc# nmap 67.190.x.x

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-16 03:12 EDT
Interesting ports on c-67-190-X-x.hsd1.co.comcast.net (67.190.x.x):
(The 1662 ports scanned but not shown below are in state: closed)
PORT  STATE SERVICE
80/tcp open  http



I suppose anything could use port 80, but normally it is used by web servers. Do you have Apache running?

NuxIT 06-16-2006 05:58 AM

Yeah, I certainly don't have apache running. I'm going to run a little test when I get home. I'll disable my port forwarding on my router and then run another nmap to my WAN IP to see what results I get. I'll let you know. Don't really like the idea of my port 80 being open when I'm not running any sort of web server.

~=gr3p=~ 06-16-2006 07:26 AM

Quote:

Originally Posted by NuxIT
Don't really like the idea of my port 80 being open when I'm not running any sort of web server.

which router do you have? Maybe the webserver is running on the router.

just a guess...

Regards.

NuxIT 06-16-2006 09:33 AM

Quote:

Originally Posted by ~=gr3p=~
which router do you have? Maybe the webserver is running on the router.

just a guess...

Regards.

I have a belkin wireless router with the latest firmware. I disabled the port forwarding and ran another nmap and it still shows port 80 open!! I also don't have any sort of remote router management enabled. I was kinda freaked when I plugged my IP into the browser at home and my wireless router came up!! I'm not sure what's going on here but I don't like it!

I can also telnet to my WAN ip via port 80!!! CRAP!! WTF is going on here. I'm going to turn off this laptop and get online using my windows box and see if my results are the same.
Code:

root@nuxbox:/etc# telnet 67.190.x.x 80
Trying 67.190.x.x...
Connected to 67.190.x.x
Escape character is '^]'.


NuxIT 06-16-2006 10:14 AM

Well, I just fired up my XP box and I get the same results! I can telnet right onto my WAN ip via port 80!! Crap!

I don't know if it's because somehow my WAN ip translates to my wireless routers assigned gateway LAN address I setup while on my LOCAL LAN? I noticed when I have an active telnet session to my WAN IP I cannot use or connect to my wireless router through a browser. I'm going to try and connect to my WAN IP via port 80 from a remote network to see what my results are. I very well could have an exploited router. While looking at the model # on the back of the router I noticed it shows a different LAN/WAN MAC address then I have listed under my WAN > MAC address on my router? I think it's always been this way. Sure hope I haven't been exploited in some way! My setup has not changed in forever so I'm quite concerned right now. Paranoid user? Yeah, that's me! :scratch:

NuxIT 06-16-2006 08:04 PM

Well, I'm at work and all my systems at home are off. I tried connecting to my router via port 80 and it doesn't respond. I think something on my home network automatically translates WAN IP address to my Routers LAN GATEWAY which is essentially port 80. i.e. The port I use to connect to my router through my browser. I think this week I'll take that extra step and start running encrypted folders to protect my private data. I used to run encrypted magic folders a long time ago. Anyone run disk encryption software? If so, what do you use?

Capt_Caveman 06-16-2006 10:27 PM

I think that's likely what you are seeing. Most SOHO routers such as linksys,netgear,dlink have a web interface accessible on the LAN side for configuration. If you're doing the scan from the LAN side, then that's likely the reason. To further confirm, try using one of the free port scan utilities offered by grc or sygate.

NuxIT 06-16-2006 11:32 PM

Yeah Captain. That's why I wasn't overly concerned. Because when using Shields Up on GRC it shows all ports stealth to the outside world. So, I think I'm good. I'm always so concerned about Firewalls and A/V on my computers that I never stop to think someone might exploit my router. I've had the router for a while and they've never updated the firmware. One thing that kinda concerned me were multiple entries in my routers security log showed:

Tue Jun 6 03:39:54 2006 -WAN DHCP Client Connected IP 67.190.x.x

Don't remember seeing those entries before.

Capt_Caveman 06-17-2006 10:10 PM

Is that the router grabbing its WAN IP from the ISP? Power cyle the router, leaving it off for a few minutes. Then restart the router and compare the WAN IP it grabs with any corresponding log entries for that time.

Most sane routers don't have any dhcp service accessible from the WAN interface, so unless something is configured improperly, then it sounds unlikely. Make sure to verify your router settings to be sure.

NuxIT 06-24-2006 01:21 AM

Sorry it took me so long to report back. I now realized that all that nmap scan shows is the port used to manage my router on my LOCAL LAN ONLY!! I was worried when I could telnet to my port 80 on my router locally. I was equally (MORE) concerned when I thought my router was accessible over the internet via the WAN IP. This is not the case! Somehow my WAN IP translates to my local router management address. This is the reason it shows open state. I would imagine most anyone who has a home router would have the same results. Stay secure.. This weeks wig out... Um, Microshafts WGA tool!! Gawd, I wish I wasn't a gamer.. I would be soooo off Win XP!!


All times are GMT -5. The time now is 03:58 PM.