10-31-2003 10:40 AM - edited 02-20-2020 11:04 PM
I'm running scans against multiple PIX firewalls running both 6.3(3) and 6.2(2) code using NMap, Nessus, and GFI's scanner. All scanners show the expected ports open but also always show TCP 80 open as well, which is not open in the ACL nor statically mapped with port redirection. From my Linux box, I can telnet to the address on port 80 and get connected but of course I get no response. HTTP servers on all are disabled. I even went so far as to clear the xlate table and verify no PAT entries for HTTP in use during the scan. I just cannot figure out why these PIXes would show 80 open?
I don't believe this to be a security flaw as I can't seem to be able to do anything with this information but I do have to submit scan reports to my customers and I'm sure they will want to know why 80 shows open. I know I would...
Any ideas?
Thanks,
Rik
11-05-2003 12:18 AM
Hi,
i could not get to some definite answer to this one. But it seems like PIX does behave like that.
According to some discussions, since PIX was created with security in mind, it is one way of
spoofing outside attackers with the said port/s.
To really determine if the ports are open, try running portscan and Ethereal at the same time, then
check the results of Ethereal against that of portscan.
Thanks
Nadeem
11-06-2003 05:11 AM
Hmmm...interesting thought...something like a built-in honeypot? Still, I'd rather not see that function as it becomes something of a signature for the PIX. I'd rather be totally anonymous and keep them guessing.
Rik
11-05-2003 06:06 PM
Is the pix web server (pdm) enabled by chance?
11-06-2003 04:09 AM
I got the same behaviour scanning a client's pix (running 6.3) with nmap-nt 3.45 from outside their network. They should have no open tcp ports - their web hosting is outsourced.
11-06-2003 05:08 AM
I had the same thought too but I never use the PDM. I verified it, however, and all were disabled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide