Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Computer closing port 80

Status
Not open for further replies.

beco73

Programmer
May 8, 2005
157
CA
hi,

My port 80 was open and all of a sudden it is 'stealth' now. My ISP is not closing it because I tried another computer it is open there. I am using W2k server. I tried both with router and with out but it is close on both? I ran virus scan as well. All my wbsites are down now because of that.

Thanks
 
Is IIS running on the computer? Did you recently install a software firewall? If you run netstat, do you see IIS attached to port 80 on the computer?


pansophic
 
yes IIS is running. No I did not install any fire wall. If I run netsta , that what I got.

Proto Local Address Foreign Address State
TCP irfan-qqsqq665e:1035 irfan-qqsqq665e:1036 ESTABLISHED
TCP irfan-qqsqq665e:1036 irfan-qqsqq665e:1035 ESTABLISHED
TCP irfan-qqsqq665e:2842 cs4.msg.dcn.yahoo.com:5050 ESTABLISHED
TCP irfan-qqsqq665e:3274 ypn-js.overture.com:http TIME_WAIT
TCP irfan-qqsqq665e:3290 65.61.167.158:http TIME_WAIT
TCP irfan-qqsqq665e:3339 baym-cs268.msgr.hotmail.com:1863 ESTABLISHED
TCP irfan-qqsqq665e:3344 206.167.78.32:http CLOSE_WAIT
TCP irfan-qqsqq665e:3345 206.167.78.32:http CLOSE_WAIT
TCP irfan-qqsqq665e:3348 207.68.178.16:http CLOSE_WAIT
TCP irfan-qqsqq665e:3349 207.68.178.16:http CLOSE_WAIT
TCP irfan-qqsqq665e:3350 us.mcafee.com:http TIME_WAIT
TCP irfan-qqsqq665e:3351 us.mcafee.com:http TIME_WAIT
TCP irfan-qqsqq665e:3358 us.mcafee.com:http TIME_WAIT
TCP irfan-qqsqq665e:3359 207.61.132.16:http CLOSE_WAIT
TCP irfan-qqsqq665e:3361 216.200.68.15.d277.speedera.com:http CLOSE_WAIT

TCP irfan-qqsqq665e:3362 us.mcafee.com:http TIME_WAIT
TCP irfan-qqsqq665e:3364 us.mcafee.com:http TIME_WAIT
 
There is no binding of IIS to port 80 on your machine. You can see that all of your local ports are ephemeral ports (1025 - 65535). You do have some browser connections in a TIME_WAIT state to other webservers though, like mcaffe and overture.

It appears to be something in your IIS configuration, since it is not binding to the IP stack. I don't see any mail or FTP bindings from IIS either. I didn't know that you could shut off the web functionality of IIS, but it appears that you can.

I assume that you have tried a hard boot?

Are any services that IIS uses not running now?




pansophic
 
If the ports 25 80, are closed for some reason do you think still ISS should bind to them and I should see when I run netstat?

If I go to 'Internet service information' I see IIS up and all the website running. I disconneted it and connected back again.

I have rebooted my machine many times. I think that what you meant by hard boot?

I have a partioned on my hard drive, on the other partion I have Xp pro that that does not have IIS instaled. Even there I get port 80 stealth. I don't know if that tell something?

I go to
to check the ports

Thanks
 
Netstat reports what is currently bound to the IP stack. If IIS is running, and is configured to listen for HTTP requests, it should open port 80, even if a firewall is blocking the connection (I believe).

I am not IIS literate, I always run Apache under Linux, so I really can't help you with IIS, other than to tell you that nearly everything points to a configuration issue with IIS. But generally it is not safe to query a program about its state as a reliable method of verification. Programmers always take short cuts because it is hard to actually verify everything. That is why I had you run netstat. It doesn't know about applications, but it knows how to read the stack bindings. No stack bindings, no communications.

A hard boot is actually powering the machine off, and powering it back on, vice rebooting it. Memory is initialized when a hard boot is performed, it is not when a soft boot (reboot) is performed. For most modern OSs there doesn't seem to be much of a difference. In the old days, it would mean the difference between a program restarting and not.

The fact that you are getting 'stealth' at grc.com does mean something, and it is one pointer that indicates that the problem could be something other than IIS. Normally when a port is closed the OS will respond with a NAK to a connection request. With a firewall, you can have the request dropped, rather than responding with the NAK. The dropped request is what grc calls a 'stealth' port.

Is it possible that someone restarted IIS and when McAffee asked if IIS should be able to talk to the net, they pushed the "Never" button? I'm assuming that you have the McAffee firewall product installed. It is where I would check next. I'd also double check the firewall in the broadband router, just in case.

You should attempt to run ethereal on the IIS machine and see what is actually happening when requests come from the Internet. Are the connection requests actually arriving at your host? I suspect that the answer is yes, the packets are arriving, and that you are not responding with either a SYN/ACK (continue the connection process) or NAK (no connections allowed).


pansophic
 
thanks for your message

- I hard booted the machine
- uninstalled McAfee
still the same

I suspect it is something other than IIS. The fact that on XP pro also port 80 is stealth, doesn't that mean it has nothing to domwith IIS?

Also I took router out and cooneted staright using ISP PPope
but still same results?

Could it be some virus? I ran Norton 2005 that I have on XP , it picked few adware that it could not delete

D:\WINDOWS\system32\8d18p7ac.exe
D:\RECYCLER\S-1-5-21-583907252-1275210071-839522115-1003\Dd2.exe
D:\RECYCLER\S-1-5-21-583907252-1275210071-839522115-1003\Dd3.exe is a Adware threat.
D:\WINDOWS\system32\rpdm3k83.dll


 
If it is the McAfee firewall that you uninstalled, there are problems with the uninstaller that will cause it to continue to operate, even when the program has been installed. Do a google search on uninstalling McAfee for more help.

It is entirely possible that this has nothing to do with IIS because of the "stealth" port response. That is nearly always firewall related. Try reinstalling McAfee and disabling both the McAfee firewall and the SP2 firewall. Stop and restart IIS with the firewalls down and see what happens.

It is also possible that it is a virus, but not one that I've ever heard of. Usually the IIS virii are actually worms, escalating privileges and then using the machine as a zombie.


pansophic
 
Macfee is completely gone, i don't know how to remove SP2 firewall, I never made any changes to it....

I don't have Macfee on XP on other partion, there too port 80 is closed , that means it is caused by something other than Macfee

I downloaded ethereal as you suggested. I am not sure how it works ..any how i did this option->capture->capture packets in prmiscous mode, and that's what I got after 30 some sec



0000 03 00 00 00 00 02 d0 c2 20 52 41 53 00 b4 03 02 ........ RAS....
0010 03 52 54 53 53 03 00 00 00 00 00 a8 00 01 00 00 .RTSS... ........
0020 00 0f 88 01 00 49 52 46 41 4e 2d 51 51 53 51 51 .....IRF AN-QQSQQ
0030 36 36 35 00 00 41 64 6d 69 6e 69 73 74 72 61 74 665..Adm inistrat
0040 6f 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 or...... ........
0050 00 00 00 00 00 00 00 00 00 d0 c2 20 52 41 53 d0 ........ ... RAS.
0060 c2 20 52 41 53 49 00 52 00 46 00 41 00 4e 00 2d . RASI.R .F.A.N.-
0070 00 51 00 51 00 53 00 51 00 51 00 36 00 36 00 35 .Q.Q.S.Q .Q.6.6.5
0080 00 45 00 00 00 41 00 64 00 6d 00 69 00 6e 00 69 .E...A.d .m.i.n.i
0090 00 73 00 74 00 72 00 61 00 74 00 6f 00 72 00 00 .s.t.r.a .t.o.r..
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00c0 00 00 00 00 00 .....
 
Did you attempt to connect in to your Web Server while the capture was running? It doesn't appear so. What you have is an SMB message, but no incoming attempts at Web services. You'll want to attempt from internal and external hosts if at all possible. You should see the internal requests regardless of any firewall configuration, but you may not see the externally (internet) attempted connections if the router is not properly configured. Seems strange if it was working before.

The "stealth" response could be coming from your broadband firewall just as easily. If your website(s) generate much traffic at all, there should be incoming attempts showing up in the ethereal log. Since they aren't have you checked the router to make sure that it is set up to reroute port 80 from its external address into your IIS machine? I'm assuming that you are on a small, home-based network.

The SP2 firewall is available under network settings, right click on the network interface, select properties, click the advanced tab and press the settings button. The firewall should be Off.

Ethereal will capture every packet that is on your network segment. If you are running a switch, it will only capture data destined for the computer that you are running it on, and broadcast messages like the one that you posted.

You should be trying to capture a connection attempt to determine if the packets are actually getting to the web server. If they are, you have a local host issue. If they are not, the issue is up stream from you, like your router or ISP.

There appears to be some type of local host issue in any event, because if IIS were listening on port 80, it would have shown up in netstat, but work one problem at a time. I'd work on the 'stealth' port 80 issue first because it is most likely to include a third party and may take some time to resolve.

Many ISPs block incoming port 80 unless you purchase 'business' connectivity. They charge extra for this service.

After you figure out where port 80 is being 'stealthed' you can work on why IIS is not opening port 80.


pansophic
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top