Thanks by help.
Host A:
- The computer where i'm running the tests with nessus
and nmap.
- IP 200.200.200.201
Router R1:
- Router ADSL - does the connection of the host A with
the internet.
- IP 200.200.200.202
Host B:
- The server under investigation, receive the tests
with nessus and nmap.
- Linux RedHat/Conectiva 8
- IP 200.200.201.201
- Services running: Samba, Squid, Atalk, Postfix,
Iptables, Snort, SSH, i haven't APACHE installed.
- The iptables is set to drop all connection, with
exception of the SSH become from host A.
- In iptables has not redirect to port 80.
Router R2:
- Router ADSL - does the connection of the host B with
the internet.
- SpeedStream model 5660
- IP 200.200.201.202
The Problem:
Ran the nessus from host A against host B, and i
received an Security Alert information that port
80/tcp was opened and that a unknown service was
running.
I started the investigation and ran the follows
commands on host B:
netstat -tupan ( doesn't show port 80 )
lsof -i ( doesn't show port 80 )
fuser -n tcp 80 ( doesn't show nothing )
tcpdump dst port 80 ( there aren't traffic in this
port )
chkrootkit ( doesn't detect nothing )
clamav ( doesn't find virus )
Replace the nestat for other secure and ran again the
netstat -tupan, and the result was same.
- I Disabled the port 80/tcp and 80/udp on
/etc/services and restart host B.
I tried an telnet to port 80 and happen this:
Trying 200.200.201.201 ....
Connected to 200.200.201.201.
Escape character is '^]'.
I did: GET / HTTP / 1.1
Then a short time, the i receveid the message.
Connection closed by foreign host.
On host A, I ran the nmap against the host B using the
follow command:
nmap -vv -P0 -p 80-80 -sT 200.200.201.201
I received that port 80/tcp was opened by http
service.
Then, i did the follow test, unpluged the host B of
the router. On host A, I ran the same command of the
nmap, against the host B IP and the result was that
port 80 was opened. But how, if the host was unpluged
of the internet.
Then, yet with host B out of the internet, I ran the
nmap command against router R2 IP and the result was
that port 80 was opened too.
I don't understand that what's happening, anyone can
help me?
Follow the results of the netstat -tupan and ps ax
commands.
Result of the nestat -tupan:
Conexões Internet Ativas (servidores e estabelecidas)
Proto Recv-Q Send-Q Endereço Local Endereço
Remoto Estado PID/Program name
tcp 0 0 192.168.100.1:548 0.0.0.0:*
OUÇA 2069/afpd
tcp 0 0 192.168.100.1:139 0.0.0.0:*
OUÇA 1895/smbd
tcp 0 0 0.0.0.0:22 0.0.0.0:*
OUÇA 1008/sshd
tcp 0 0 192.168.100.1:3128 0.0.0.0:*
OUÇA 2149/(squid)
tcp 0 0 192.168.100.1:25 0.0.0.0:*
OUÇA 1675/master
tcp 0 0 127.0.0.1:25 0.0.0.0:*
OUÇA 1675/master
tcp 0 0 127.0.0.1:32898
127.0.0.1:32897 ESTABELECIDA2149/(squid)
tcp 0 0 127.0.0.1:32897
127.0.0.1:32898 ESTABELECIDA2150/(ncsa_auth)
tcp 0 0 127.0.0.1:32900
127.0.0.1:32899 ESTABELECIDA2149/(squid)
tcp 0 0 192.168.100.1:548
192.168.100.3:49155 ESTABELECIDA2247/afpd
tcp 0 0 127.0.0.1:32899
127.0.0.1:32900 ESTABELECIDA2151/(ncsa_auth)
tcp 0 48 200.200.201.201:22
200.200.200.201:32806 ESTABELECIDA1399/sshd
tcp 0 0 192.168.100.1:139
192.168.100.6:1027 ESTABELECIDA2203/smbd
tcp 0 0 127.0.0.1:32902
127.0.0.1:32901 ESTABELECIDA2149/(squid)
tcp 0 0 192.168.100.1:548
192.168.100.5:49155 ESTABELECIDA2330/afpd
tcp 0 0 127.0.0.1:32901
127.0.0.1:32902 ESTABELECIDA2152/(ncsa_auth)
tcp 0 0 127.0.0.1:32904
127.0.0.1:32903 ESTABELECIDA2149/(squid)
tcp 0 0 127.0.0.1:32903
127.0.0.1:32904 ESTABELECIDA2153/(ncsa_auth)
tcp 0 0 127.0.0.1:32906
127.0.0.1:32905 ESTABELECIDA2149/(squid)
tcp 0 0 127.0.0.1:32905
127.0.0.1:32906 ESTABELECIDA2154/(ncsa_auth)
tcp 0 0 192.168.100.1:139
192.168.100.7:1233 ESTABELECIDA1951/smbd
udp 0 0 192.168.100.1:137 0.0.0.0:*
1908/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:*
1908/nmbd
udp 0 0 192.168.100.1:138 0.0.0.0:*
1908/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:*
1908/nmbd
udp 0 0 127.0.0.1:32786 0.0.0.0:*
1951/smbd
udp 0 0 127.0.0.1:32791
127.0.0.1:32792 ESTABELECIDA2156/(pinger)
udp 0 0 127.0.0.1:32792
127.0.0.1:32791 ESTABELECIDA2149/(squid)
udp 0 0 127.0.0.1:32793 0.0.0.0:*
2203/smbd
udp 0 0 0.0.0.0:32804 0.0.0.0:*
2149/(squid)
Result of the ps ax:
4 ? SW 0:00 [kswapd]
5 ? SW 0:00 [bdflush]
6 ? SW 0:00 [kupdated]
7 ? SW< 0:00 [mdrecoveryd]
11 ? SW 0:02 [kjournald]
129 ? SW 0:00 [khubd]
256 ? SW 0:00 [kjournald]
257 ? SW 0:00 [kjournald]
701 ? SW 0:00 [eth0]
782 ? SW 0:00 [eth1]
868 ? S 0:00 syslogd -m 0
880 ? S 0:00 klogd
968 ? S 0:00 /usr/sbin/atd
988 ? S 0:00 crond
1008 ? S 0:00 /usr/sbin/sshd
1133 ttyS0 S 0:00 gpm -t ms
1314 ? R 0:08 /usr/bin/snort -d -D -i
eth0 -p -l /var/log/snort -u
1319 tty1 S 0:00 /sbin/mingetty tty1
1320 tty2 S 0:00 /sbin/mingetty tty2
1321 tty3 S 0:00 /sbin/mingetty tty3
1322 tty4 S 0:00 /sbin/mingetty tty4
1323 tty5 S 0:00 /sbin/mingetty tty5
1324 tty6 S 0:00 /sbin/mingetty tty6
1399 ? S 0:00 /usr/sbin/sshd
1401 ? S 0:01 /usr/sbin/sshd
1402 pts/0 S 0:00 -bash
1415 pts/0 S 0:00 su
1416 pts/0 S 0:00 bash
1675 ? S 0:00 /usr/lib/postfix/master
1682 ? S 0:00 pickup -l -t fifo -u
1683 ? S 0:00 qmgr -l -t fifo -u
1895 ? S 0:00 smbd -D
1908 ? S 0:00 nmbd -D
1909 ? S 0:00 nmbd -D
1951 ? S 0:04 smbd -D
2043 ? S 0:00 atalkd
2056 ? S 0:00 papd
2069 ? S 0:00 afpd -c 50 -n sp
2147 ? S 0:00 /usr/bin/squid
2149 ? S 0:00 (squid)
2150 ? S 0:00 (ncsa_auth)
/etc/squid/squid_passwd
2151 ? S 0:00 (ncsa_auth)
/etc/squid/squid_passwd
2152 ? S 0:00 (ncsa_auth)
/etc/squid/squid_passwd
2153 ? S 0:00 (ncsa_auth)
/etc/squid/squid_passwd
2154 ? S 0:00 (ncsa_auth)
/etc/squid/squid_passwd
2155 ? S 0:00 (unlinkd)
2156 ? S 0:00 (pinger)
2203 ? S 0:01 smbd -D
2247 ? S 0:00 afpd -c 50 -n sp
2316 ? S 0:00 smtp -t unix -u
2318 pts/0 R 0:00 ps ax
--- Nelson Santos <nsantos_at_gmail.com> wrote:
> Hi Paulo,
>
> Did you try to connect to the port using Telnet
> (telnet localhost 80)?
> How about using nmap
> (nmap -sV -p 80 localhost). This will try to connect
> to the service
> and check its version.
>
> Nelson
>
> On Wed, 30 Jun 2004 04:24:24 -0700 (PDT), Paulo
> <listassec_at_yahoo.com> wrote:
> >
> > Hi,
> >
> > I runned the Nessus on a Redhat/Conectiva 9 and i
> > received the alert:
> >
> > Security Note: Port: www-http (80/tcp).
> >
> > I don't runnig http server (apache) and in netstat
> > -anp don't show port 80. I run also chkrootkit and
> it
> > detect nothing. I run clamav and it detect nothing
> > too.
> >
> > Anyone can help me?
> >
> > Thanks
> >
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - Send 10MB messages!
> > http://promotions.yahoo.com/new_mail
> >
> >
>
---------------------------------------------------------------------------
> > Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> > any course! All of our class sizes are guaranteed
> to be 10 students or less
> > to facilitate one-on-one interaction with one of
> our expert instructors.
> > Attend a course taught by an expert instructor
> with years of in-the-field
> > pen testing experience in our state of the art
> hacking lab. Master the skills
> > of an Ethical Hacker to better assess the security
> of your organization.
> > Visit us at:
> >
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
>
----------------------------------------------------------------------------
> >
> >
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Received on Jul 01 2004
Intro
