[arch-general] Port 80 is shown open in port scan without any web server running

Partha Chowdhury partha at gmx.us
Wed Mar 30 04:36:48 EDT 2011 

Hallo to everyone on the list. It is my first message in a while.

I have recently changed my internet provider as i have moved. My 
previous provider was a DSL provider and the current one is the local 
cable operator.Now with current provider port 80 is shown open in every 
port scan test , all other ports being shown as stealth. But with the 
previous provider , every port scanned was shown as stealth. I am not 
running any web service . And the change in software being the one that 
is used to authenticate. Previously it was rp-pppoe now it is the 
GNU/Linux client of cyberoam software.

Output from lsof:
> sudo /bin/lsof -i
> COMMAND    PID   USER   FD   TYPE DEVICE SIZE NODE NAME
> pdnsd     1207 nobody    4u  IPv4   2434       TCP localhost:domain 
> (LISTEN)
> pdnsd     1207 nobody    5u  IPv4   2435       UDP localhost:domain
> pdnsd     1207 nobody    8u  IPv4  81232       UDP 
> 172.16.37.164:40131->AS-20144-has-not-REGISTERED-the-use-of-this-prefix:domain
> linc      1214   root    5u  IPv4   2448       UDP *:55089
> ntpd      1216   root   16u  IPv4   2451       UDP *:ntp
> ntpd      1216   root   17u  IPv4   2455       UDP localhost:ntp
> ntpd      1216   root   18u  IPv4   2456       UDP 172.16.37.164:ntp
> X         1377   root    1u  IPv4   2964       TCP *:x11 (LISTEN)
> gweather- 1538 partha   18u  IPv4  78973       TCP 
> 172.16.37.164:53421->a125-56.222-11.deploy.akamaitechnologies.com:http 
> (CLOSE_WAIT)


Iptables configuration:

> sudo /sbin/iptables-save
> # Generated by iptables-save v1.4.7 on Wed Mar 30 13:59:44 2011
> *filter
> :INPUT DROP [2844:282816]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [9999:990098]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 54215 -j ACCEPT
> -A INPUT -p udp -m udp --dport 54215 -j ACCEPT
> COMMIT
> # Completed on Wed Mar 30 13:59:44 2011

With my new provider, I have to provide a static ip 172.16.37.x to eth0 
and then start the linc daemon to authenticate, after that i am 
allocated a public ip.

Now my question is: why is port 80 open and does it indicate any 
security vulnerability ?

More information about the arch-general mailing list