Re: Port 80 is shown open in port scan without any web server running

[Partha Chowdhury <partha@xxxxxx>]

On 30/03/11 14:20, Jan de Groot wrote:
> This is usually caused by a transparent proxy. When nmap hits port 80,
> it will get redirected to the proxy server. Try doing an nmap -sV and
> you'll see what software is running on the proxyserver.
While googling for ways of detecting transparent proxy the easy way :-D
i came across this page.

http://tracetcp.sourceforge.net/usage_proxy.html

So i searched for GNU/Linux equivalent, found tcptraceroute from 
http://www.gnutoolbox.com/tcptraceroute/ and compiled and installed it. 
By default it uses tcp syn packet.The observation:


> sudo tcptraceroute ftp.gnome.org http
> Selected device eth0, address 172.16.37.164, port 46375 for outgoing 
> packets
> Tracing the path to ftp.gnome.org (130.239.18.173) on TCP port 80 
> (http), 30 hops max
>  1  napoleon.acc.umu.se (130.239.18.173) [open]  1.497 ms  2.010 ms  
> 1.500 ms
When using ftp

> sudo tcptraceroute ftp.gnome.org ftp
> Selected device eth0, address 172.16.37.164, port 39535 for outgoing 
> packets
> Tracing the path to ftp.gnome.org (130.239.18.163) on TCP port 21 
> (ftp), 30 hops max
>  1  172.16.37.129  2.307 ms  1.670 ms  1.774 ms
>  2  172.16.0.10  1.753 ms  1.496 ms  1.911 ms
>  3  203.171.242.17  2.773 ms  3.245 ms  2.176 ms
>  4  203.171.240.17  7.490 ms * 2.747 ms
>  5  203.171.240.1  6.358 ms  3.978 ms  4.870 ms
>  6  121.242.217.2.static-kolkata.vsnl.net.in (121.242.217.2)  3.915 
> ms  5.216 ms  6.892 ms
>  7  121.242.217.9.static-kolkata.vsnl.net.in (121.242.217.9)  41.771 
> ms  44.380 ms  41.794 ms
>  8  172.25.75.21  40.032 ms  40.094 ms  40.066 ms
>  9  172.31.17.13  41.524 ms  41.697 ms  41.873 ms
> 10  172.31.1.85  41.924 ms  41.847 ms  42.406 ms
> 11  59.163.55.149.static.vsnl.net.in (59.163.55.149)  41.753 ms  
> 42.321 ms  44.446 ms
> 12  * * *
> 13  * Vlan704.icore1.LDN-London.as6453.net (80.231.130.10) 176.751 ms  
> 177.973 ms
> 14  ldn-b5-link.telia.net (213.248.74.1)  170.663 ms  173.935 ms  
> 169.595 ms
> 15  ldn-bb1-link.telia.net (80.91.246.144)  171.474 ms  172.571 ms  
> 171.357 ms
> 16  hbg-bb1-link.telia.net (80.91.254.216)  190.353 ms  190.802 ms  
> 190.443 ms
> 17  s-bb1-link.telia.net (213.155.130.6)  207.886 ms  206.998 ms  
> 207.052 ms
> 18  s-b3-link.telia.net (80.91.249.220)  207.677 ms  207.136 ms  
> 207.547 ms
> 19  nordunet-113055-s-b3.c.telia.net (213.248.97.18)  208.076 ms  
> 207.249 ms  207.663 ms
> 20  t1fre.sunet.se (109.105.102.10)  208.246 ms  207.353 ms  207.793 ms
> 21  * * *
> 22  * * *
> 23  * * *
> 24  tutankhamon.acc.umu.se (130.239.18.163) [open]  215.384 ms  
> 218.386 ms  220.146 ms
So does this confirm that I am behind a transparent proxy ?