Port 80 Trojan on my Router?

Hey there,

I recently downloaded Axence free NetTools and did a scan on my network. I did a port scan and scanned what it called "Trojan" ports.

It returned a "trojan" port on my router's internal IP address on Port 80. Is this a false positive? I thought port 80 was internet...and this is my router not a machine.

Now, my neighbor who uses my network, showed "trojan" ports 139 and "NIMDA" port 445, which via a quick google appears to be a nasty little worm, so I'll talk with them about that.

[my machine is clean!]

My question is about the port 80 "trojan"...something to worry about?

Thanks

 

Port 80 is HTTP traffic. No need to worry about that. I would worry about that so called port scan program you downloaded. Any legit scanner would assume that you require web access and would not flag such a port. Also, as long as you are behind a router, you shouldn't worry about the ports, unless you are forwarding more than you need to.

If I remember correctly, Port 139 is NETBIOS/Windows sharing. Many trojans may use it for lower level access to the computer, or use it to spread the trojan to others. You should be able to disable NETBIOS in services under his machine. Make sure 139 is NOT an open port on the router (and it sounds like it is not).

It sounds like 445 is used for SMB, or SAMBA, which is a way of creating and accessing shares from a universal terminal (unix/linux/osx). If he uses SAMBA in any way, there is no need to disable it on his end. Just as long as the router is blocking those ports, you should be alright.

 

Yeah, I just ran the port scans at grc.com

My Router is fully stealthed (even got the ping to stop responding).

Curious thing though, my wife's laptop had the same port warnings as my neighbor's, and she is only running Vista Home Premium x64.

I'm fairly positive my neighbor isn't using Linux either, but XP.

But like you mentioned, the router is blocking these ports, so it must only be a vulnerability if I decide to start exploiting them right? =P

UPDATE: Wifey's lappy returned no virus with a full scan w/Avira AntiVir.

 

Open your favourite web browser and enter internal IP your router in address bar.

 

If you reset your router, change the standard username and password and disable UPnP on it, do you still get the same results?

 

Yes, he still get the same result... :>
Router port 80 must be accessible from local network.

 

OK, I understand, could you explain why his neighbour and wife's system produce a warning about NBT port 139 and port 445?
Will NetTools always give a 'Trojan' fp on port 139 and a 'Nimda' fp on port 445?
Thanks.

 

Baserk, I'm having trouble understanding what you meant. Which 'tools' are you assuming that I'm 'playing' with?

 

If I still had the standard username and password, I don't know that I'd even been able to ask a question of this magnitude.

However, I did disable UPnP, and I get the same results. This scanners is run from my computer which is inside the network, so I didn't expect to see a change in results.

Like I mentioned before, none of these ports are visible to the outside.

 

Yes, you're right. NetTools always give a "trojan" on this ports. If something listen on this ports, of course.
This program perform only simple port scan and don't recognize true purposes

 

Is it flagging these ports as actually being used by trojans, or is it just noticing that the ports are open, and warning you that these ports tend to be used by trojans and should therefore be closed?

The reason it's probably flagging port 80 is that port 80 is used by a server to listen for incoming HTTP traffic, but otherwise isn't necessary for accessing a web server from a private machine (any open port will do - if you run a network monitor like MS' Network Monitor 3.2, you'll see your system using all manner of ports to send out HTTP requests and get the results back).

 

That's not my post Meatloaf13;

 

Ahh, sorry baserk, didn't mean to be testy. I was on the phone with a customer service rep that was giving me the shaft. =\

I see that Mr_Peter decided to change his statement.

Thanks for the help guys.