PDA

View Full Version : Which program has opened Port 80 ?



roygretn
14-10-2004, 12:38 PM
My computer has a 2 GHz AMD Athlon XP CPU ; O/S Win98SE with Free Zone Alarm 5.1.033.000 ; Norton AV 5 ; Spybot S&D 1, 3, 0, 12 ; AdAware SE Personal 6.2.0.206; installed & all kept up to date. I run monthly checks on security through grc Shields Up!!, and generally get a clean bill of health. This week Shields Up!! reported that Port 80 was open & thus vulnerable. None of the installed security programs above give any hint of a problem. I do not have ICU or to the best of my knowledge any other similar link to a website and have been unable to identify what program is causing Port 80 to open. I would appreciate advice on how to identify the recalcitrant program [and nullify it if appropriate].

There is also a second problem, just arrived [and separately posted] which may or may not be related. For some reason Windows Networking has become corrupted as shown by (i) at startup a Windows Networking window appears with "Unable to load the dynamic link library file msn32.dll. The system cannot find the file specified. Some or all of the following feature is not available Windows Networking." and (ii) I have lost the ability to store my DUN password and must retype it every time I make contact with my ISP. The "missing file" is clearly still in C:\Windows\System [and I transferred a copy back toC:\Windows just in case it was being looked for there]
How do I reinstall an uncorrupted version of Windows Networking ?

Murray P
14-10-2004, 01:31 PM
Http, web browsers use port 80. Zone alarm should be able to tell what programmes are connected at any one time and what port they are using (haven't used ZA for yonks so can't elaborate any further), any thing suspicious can be blocked on a per case basis, take notes for undo.

You could try replacing the file with system file checker. Go Start > Run, type sfc click on start (or scan?) in the window that this invokes, have your 98 CD handy, SFC will scan for damaged or changed files since the original installation. Be careful as I don't think the win98 version can make allowances for files changed by windows service packs and updates, so when your are prompted to replace or skip a file, only replace the one(s) you want skip the rest.

The alternative is to try to remove then reinstall DUN then TCP/IP if that doesn't work, via the Control Panel Add/Remove > Windows Components with your windows CD ready (if I remember correctly).

Cheers Murray P

Cheers Murray P

roygretn
15-10-2004, 05:50 PM
Thanks Murray P for your reply
I realise that Port 80 is used to communicate with Websites with HTTP.
The fundamental problem is that something has changed in the last month. My monthly check with grc Shields Up!! has revealed that Port 80 is now open and thus vulnerable, yet none of my security programs - Symantec NAV, Zone Alarm, AdAware, Spybot S&D give any hint of a problem. Even the old DOS NETSTAT finds nothing wrong [nothing connected to Port 80 at present]. A Symantec online security check also confirmed that Port 80 is now open and vulnerable. I realise that Zone Alarm should detect any programme trying to use Port 80 in or out, but it still makes me uncomfortable for it to be now revealed and thus providing greater potential for attack. I suspect that some very cleverly devised Trojan has sneaked in and has now well hidden itself.

I am well aware of the hazards behind random use of sfc and do not wish to traverse that road, especially since I have no idea what file or files may need renewal.

roygretn

Terry Porritt
15-10-2004, 07:30 PM
In the FAQ associated with Shields Up, it is said that ICQ can act as a web server and open port 80.

Peter H
15-10-2004, 09:41 PM
Out of interest, I went to GRC and used Sheilds Up. W98se - original installation - no updates - IE 5.5 - no firewall. Port 80 closed - only one open, 139 - net Bios, whatever that means.
Bye

bmason
16-10-2004, 10:42 AM
> Even the old DOS NETSTAT
> finds nothing wrong [nothing connected to Port 80 at
> present].

You should be looking for a program listening on port 80 on your machine. There probably [hopefully] won't be anyone connected. Try running "netstat -a" and see if anything is listed as listening on local port 80/http.

Zone alarm should be able to list active & listening connections and the associated programme. If it doesn't there is a programme available from http://www.sysinternals.com that does the same thing.


I doubt a trojen would be dumb enough to listen on a standard port unless they wanted every one to know. Perhaps you have installed something like Personal Web Server.

Try pointing your browser at http://127.0.0.1/ and see what it serves up.

roygretn
18-10-2004, 07:59 PM
roygretn reply Terry Porritt
As already indicated I am well aware of what Port 80 does and I do not have ICU installed.
roygretn reply to Peter H
Yes that is just the sort of reply expected from Shields Up. Suggest you get a Firewall to protect Port 139.
roygretn reply to bmason
As already indicated, NETSTAT with no matter what subscript gives no indication of any happening on Port 80.
Re your comment "Zone alarm should be able to list active & listening connections and the associated programme", I am running the latest Free Version but cannot extract the info you suggest from Zone Alarm.
I have had a look at http://www.sysinternals.com, but with the plethora of programs mentioned I would need more precise indication from you of the actual programme you refer to.
Unfortunately one cannot be confident that a Trojan will not attack Port 80.
No I am not dumb enough to have activated Personal Web Server.
http://127.0.0.1/ - the standard self check provides no useful info.

Further comment - Via msconfig I have isolated all nonessential startup programmes to no avail - Port 80 is still open.

Murray P
18-10-2004, 08:25 PM
Have you considered using a different firewall, like Kerio, to get a second opinion.

Sure it's not ZA listening on port 80. Do you have an HP/Compaq keyboard or some other peripheral that has a burning desire to listen and call home every now and again. Not they should be too hard to find.

Cheers Murray P