Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Port 80 always open?


  • Please log in to reply

#1
Dad_man

Dad_man

    New Member

  • Member
  • Pip
  • 9 posts
Hello everyone,

Since we're starting with BYOB on our work, I have checked some security items to ensure everything is safe. Everything seems to be fine, except:

When I check my firewall/router with an online-firewall test, all ports are closed & stealth, except port 80, which ALWAYS seems to be OPEN, no matter what type of device / OS (phone, desktop xp, laptop Win7, etc) I use... I noticed there are Trojan alerts for this port 80, but if I use 4 totally different types of systems to check and they all give the same result? *confused*

Help please? Thank you so much in advance.


I use a Huawei HG655d router, which is secured with a password but doesn't makes sense to me at all.
  • 0

Advertisements


#2
Troy

Troy

    Tech Staff

  • Technician
  • 8,839 posts
Hello,

Are you hosting a website? Port 80 is HTTP and is required to be open if you want outsiders to be able to access a website setup inside your network. Otherwise you will need to login to the router and close it (by removing it from the Port Forwarding section). I don't have any experience with your specific modem but if you need help just provide screenshots.

Cheers
  • 0

#3
Dad_man

Dad_man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you so much Troy, as soon as I get home again, I'll upload some pics, as I can't seem to alter any settings, just view them.
Also, router-logs are FILLED with this:

2012-03-27 09:22:57 Kernel Warning klog 104 104<1> Intrusion -> IN=nas_a1_0 OUT= MAC=xc:xd:xx:xx:xe:dx:xx:xx:xe:fx:xx:xx:xx:xx SRC=210.242.**.*** DST=**.**.**.** LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=26428 DF PROTO=TCP SPT=3889 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

Does this mean somebody is trying to hack me? (changed all numbers to x/*)

SRC=IP ranges from 4.79.142.xxx to 216.152.171.xx and it's occuring like every 2 minutes...
Did they got in?

Thank you Troy, it really means a lot some anon is helping me out.

PS: Do you want me to upload the log.txt? Can other people read that as well if I do?
  • 0

#4
Troy

Troy

    Tech Staff

  • Technician
  • 8,839 posts
Yes if you upload it everyone will be able to see it. Personally I hate going through logs and will avoid them unless I absolutely have to (and yes, in my job I have to quite a bit haha).

For the warning you have copied above, you can see SPT=3389. Port 3389 is the remote desktop connection, can you check if this port is also open (same as they way you checked port 80 was open)?
  • 0

#5
Dad_man

Dad_man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Again, thank you for the clear explanations Troy.
I'll keep those logs for myself then, I think I understand quite well what you are saying, arial gets boring after a while, hahaha.


1] I finally found a way to alter the PTM (Chinese for port-forwarding???) and port 80 is closed now. Word to the wise; only buy Chinese equipment if you actually can READ Chinese, lol, what a "manual" *fixed!*

2] Yes, both port 3389 and 445 are closed as well. In fact, all ports from 1-64.000(something) are "Stealth" now. *fixed*

3] Because the "intrusion-alert-frequency" has been upped to over 5 times a minute and annoys me a lot, I asked my ISP for a new IP, they refused, so now I got me a new provider that does that automatically AND on demand. Fixed?




One question just because I got really interested.., Does a low TTL (time-to-live?) mean the originating source is near or just that it didn't make as much hops all around the world? Or is this just that old infection-server-thing trying to reconnect? (It varies from 23 to well over a hundred)Or did I google all wrong here?

Last question, I have a whole heap of privately owned (as far as I can make out, that is)IPs in my logs, I checked quite a few and many are in the same country I live in myself. Can I do something for these people by sharing the data with police/banks or would that be totally useless and should they all just come here by themselves? ;)


Greetings from the other side of the world, and a huge hug for all the people making this site, and thus my computer, WORK!

THANK YOU.!


EDIT: One of my kids had a infected laptop 2 weeks ago after downloading some mod for some game, but I am sure this is resolved, as I re-installed that whole system immediately using the recovery disks and it is working just fine again. Sorry I forgot to mention that earlier, I thought I already did in my first post.

Edited by Dad_man, 28 March 2012 - 02:11 AM.

  • 0

#6
Troy

Troy

    Tech Staff

  • Technician
  • 8,839 posts

I think I understand quite well what you are saying, arial gets boring after a while, hahaha.

Absolutely, it gives me a headache if I am required to go through pages and pages of logs. Obviously I do if I have to. :)

3] Because the "intrusion-alert-frequency" has been upped to over 5 times a minute and annoys me a lot, I asked my ISP for a new IP, they refused, so now I got me a new provider that does that automatically AND on demand. Fixed?

Last question, I have a whole heap of privately owned (as far as I can make out, that is)IPs in my logs, I checked quite a few and many are in the same country I live in myself. Can I do something for these people by sharing the data with police/banks or would that be totally useless and should they all just come here by themselves? ;)

If you have changed provider and have a new IP are these logs now still occurring? If so there's definitely something afoot in your network I would think. Some infections are able to adjust the modem config so it might be a good idea to completely wipe the modem back to factory defaults and set it up from scratch again. This should clear out any config an infection may have made. Before you do this you might need to contact your ISP to get all the required info to set it back up.


One question just because I got really interested.., Does a low TTL (time-to-live?) mean the originating source is near or just that it didn't make as much hops all around the world? Or is this just that old infection-server-thing trying to reconnect? (It varies from 23 to well over a hundred)Or did I google all wrong here?

http://en.wikipedia.org/wiki/Time_to_live

It means it won't be cached as long before the server will check with the authoritative server to double check records are still correct. For a home user TTL shouldn't mean much.

EDIT: One of my kids had a infected laptop 2 weeks ago after downloading some mod for some game, but I am sure this is resolved, as I re-installed that whole system immediately using the recovery disks and it is working just fine again. Sorry I forgot to mention that earlier, I thought I already did in my first post.


If you completely reinstalled from scratch chances are the infection is all gone. However it is possible for some remnants to remain (believe it or not). I would probably recommend you head over to the Malware Removal section and post up some logs for a health check on all of the computers in your home network.

Troy
  • 1

#7
Dad_man

Dad_man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

If you have changed provider and have a new IP are these logs now still occurring? If so there's definitely something afoot in your network I would think. Some infections are able to adjust the modem config so it might be a good idea to completely wipe the modem back to factory defaults and set it up from scratch again. This should clear out any config an infection may have made. Before you do this you might need to contact your ISP to get all the required info to set it back up.

I now have -different- temporary UMTS connections (say same as cellphone), and I can't find any evidence of any port-scans anymore, using an embedded(?) tool from my new provider, called WireShark.
The modem/router has been disconnected completely and will be replaced within 2 weeks.



If you completely reinstalled from scratch chances are the infection is all gone. However it is possible for some remnants to remain (believe it or not). I would probably recommend you head over to the Malware Removal section and post up some logs for a health check on all of the computers in your home network.

Troy

I can hardly believe you, but I most certainly shall.
Seriously? After a fresh installation? I even re-partitioned the HDD on advice of a friend...
That is some scary stuff. I'm starting with my oldest (most vulnerable?) system then, thank you so much for the advice!

Thank you for all your support and explanations Troy.
  • 0

#8
Troy

Troy

    Tech Staff

  • Technician
  • 8,839 posts
Like I said, it's extremely rare but possible. If the computer itself is running fine and current scans show no signs of infection you might be OK. But it won't hurt just to post up a log and explain that the computer was infected, you have performed a complete recovery and you just want to make sure there's no sign of anything. In particular the ones I am talking about are bootsector or MBR viruses. I recently cleaned one up here in my shop, and when I restarted the computer it decided it wasn't going to boot. I had to then repair the MBR to get it started up again.
  • 0

#9
Dad_man

Dad_man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
After looking up the ports that are being scanned, I am even more paranoid.
(25, 139, 443, 445(90% of all the times), 1433, 3389, 4899 and 5900)

So, I have started a new topic in the "Malware" section (Troy advised...), because I am terrified somebody installed a key-logger or even worse, a RAdmin-thing within one of my systems.

Thank you for the eye-opener, I'll have to get me a Paypal account soon.



(I moved to malware section, topic can be closed?)
  • 0

#10
Troy

Troy

    Tech Staff

  • Technician
  • 8,839 posts
We don't usually close topics except for specific reasons. Once you are all cleaned up (make sure all computers are checked) feel free to come back and give me an update. :)
  • 0

#11
Dad_man

Dad_man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I most certainly will then, thanks.
  • 0

#12
Dad_man

Dad_man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Update:

With the help of my neighbor, we re-formatted, re-partitioned, and re-installed ALL our systems from scratch one by one at his house, and we just finished the last one :) (EDIT: including MBR with adapter, no back-ups used)
All passwords have been reset from a safe system & connection again as well.

It was a time-consuming process, but I learned a lot and improved our online-safety through various software that can be -among others- found in the guides on this site.
I never knew there were so many ways to add "layers" in order to improve safety, like a host-file, updating-software, a sandbox, "intelligent" firewall and so on. Turns out Windows-update and an up-to-date AV are just a start! Not even to start on maintenance-software by the way.
My o my, what an experience, lol.

Anyways, the new router should be coming in soon, and until then we have only limited internet-connection at home, as I disconnected the current router, but at least we can safely check our mail and bank online through some temporary UMTS sticks. Kids aren't too happy about it, but I blame them in the first place, hahaha.
But seriously, we all learned a lot from this experience and I -again- want to thank you for the eye-openers.

Keep up the great work!

Ps: I added a new reply in the malware-forum first, I hope nobody wasted too much time on it... :[

Edited by Dad_man, 02 April 2012 - 07:09 AM.

  • 0

#13
Troy

Troy

    Tech Staff

  • Technician
  • 8,839 posts
Well that's one way to do it :lol:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP