hi,

My port 80 was open and all of a sudden it is 'stealth' now. My ISP is not closing it because I tried another computer it is open there. I am using W2k server. I tried both with router and with out but it is close on both? I ran virus scan as well. All my wbsites are down now because of that.

Thanks

Is IIS running on the computer?  Did you recently install a software firewall?  If you run netstat, do you see IIS attached to port 80 on the computer?

pansophic

yes IIS is running. No I did not install any fire wall. If I run netsta , that what I got.

 Proto  Local Address          Foreign Address        State
 TCP    irfan-qqsqq665e:1035   irfan-qqsqq665e:1036   ESTABLISHED
 TCP    irfan-qqsqq665e:1036   irfan-qqsqq665e:1035   ESTABLISHED
 TCP    irfan-qqsqq665e:2842   cs4.msg.dcn.yahoo.com:5050  ESTABLISHED
 TCP    irfan-qqsqq665e:3274   ypn-js.overture.com:http  TIME_WAIT
 TCP    irfan-qqsqq665e:3290   65.61.167.158:http     TIME_WAIT
 TCP    irfan-qqsqq665e:3339   baym-cs268.msgr.hotmail.com:1863  ESTABLISHED
 TCP    irfan-qqsqq665e:3344   206.167.78.32:http     CLOSE_WAIT
 TCP    irfan-qqsqq665e:3345   206.167.78.32:http     CLOSE_WAIT
 TCP    irfan-qqsqq665e:3348   207.68.178.16:http     CLOSE_WAIT
 TCP    irfan-qqsqq665e:3349   207.68.178.16:http     CLOSE_WAIT
 TCP    irfan-qqsqq665e:3350   us.mcafee.com:http     TIME_WAIT
 TCP    irfan-qqsqq665e:3351   us.mcafee.com:http     TIME_WAIT
 TCP    irfan-qqsqq665e:3358   us.mcafee.com:http     TIME_WAIT
 TCP    irfan-qqsqq665e:3359   207.61.132.16:http     CLOSE_WAIT
 TCP    irfan-qqsqq665e:3361   216.200.68.15.d277.speedera.com:http  CLOSE_WAIT

 TCP    irfan-qqsqq665e:3362   us.mcafee.com:http     TIME_WAIT
 TCP    irfan-qqsqq665e:3364   us.mcafee.com:http     TIME_WAIT

There is no binding of IIS to port 80 on your machine.  You can see that all of your local ports are ephemeral ports (1025 - 65535).  You do have some browser connections in a TIME_WAIT state to other webservers though, like mcaffe and overture.

It appears to be something in your IIS configuration, since it is not binding to the IP stack.  I don't see any mail or FTP bindings from IIS either.  I didn't know that you could shut off the web functionality of IIS, but it appears that you can.

I assume that you have tried a hard boot?

Are any services that IIS uses not running now?

http://support.microsoft.com/default.aspx?scid=kb;en-us;164885&sd=tech
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2df6ff66-da04-4e7c-997d-8f7aa46af8c8.mspx

pansophic

If the ports 25 80, are closed for some reason do you think still ISS should  bind to them and I should see when I run netstat?

If I go to 'Internet service information' I see IIS up and all the website running. I disconneted it and connected back again.

I have rebooted my machine many times. I think that what you meant by hard boot?

I have a partioned on my hard drive, on the other partion I have Xp pro that that does not have IIS instaled. Even there I get port 80 stealth. I don't know if that tell something?

I go to
http://www.grc.com/x/ne.dll?rh1dkyd2
to check the ports

Thanks

Netstat reports what is currently bound to the IP stack.  If IIS is running, and is configured to listen for HTTP requests, it should open port 80, even if a firewall is blocking the connection (I believe).

I am not IIS literate, I always run Apache under Linux, so I really can't help you with IIS, other than to tell you that nearly everything points to a configuration issue with IIS.  But generally it is not safe to query a program about its state as a reliable method of verification.  Programmers always take short cuts because it is hard to actually verify everything.  That is why I had you run netstat.  It doesn't know about applications, but it knows how to read the stack bindings.  No stack bindings, no communications.

A hard boot is actually powering the machine off, and powering it back on, vice rebooting it.  Memory is initialized when a hard boot is performed, it is not when a soft boot (reboot) is performed.  For most modern OSs there doesn't seem to be much of a difference.  In the old days, it would mean the difference between a program restarting and not.

The fact that you are getting 'stealth' at grc.com does mean something, and it is one pointer that indicates that the problem could be something other than IIS.  Normally when a port is closed the OS will respond with a NAK to a connection request.  With a firewall, you can have the request dropped, rather than responding with the NAK.  The dropped request is what grc calls a 'stealth' port.

Is it possible that someone restarted IIS and when McAffee asked if IIS should be able to talk to the net, they pushed the "Never" button?  I'm assuming that you have the McAffee firewall product installed.  It is where I would check next.  I'd also double check the firewall in the broadband router, just in case.

You should attempt to run ethereal on the IIS machine and see what is actually happening when requests come from the Internet.  Are the connection requests actually arriving at your host?  I suspect that the answer is yes, the packets are arriving, and that you are not responding with either a SYN/ACK (continue the connection process) or NAK (no connections allowed).

pansophic

thanks for your message

- I hard booted the machine
- uninstalled McAfee
still the same

I suspect it is something other than IIS. The  fact that on XP pro also port 80 is stealth, doesn't that mean it has nothing to domwith IIS?

Also I took router out and cooneted staright using ISP PPope
but still same results?

Could it be some virus? I ran Norton 2005 that I have on XP , it picked few adware that it could not delete

D:\WINDOWS\system32\8d18p7ac.exe
D:\RECYCLER\S-1-5-21-583907252-1275210071-839522115-1003\Dd2.exe
 D:\RECYCLER\S-1-5-21-583907252-1275210071-839522115-1003\Dd3.exe is a Adware threat.
D:\WINDOWS\system32\rpdm3k83.dll

If it is the McAfee firewall that you uninstalled, there are problems with the uninstaller that will cause it to continue to operate, even when the program has been installed.  Do a google search on uninstalling McAfee for more help.

It is entirely possible that this has nothing to do with IIS because of the "stealth" port response.  That is nearly always firewall related.  Try reinstalling McAfee and disabling both the McAfee firewall and the SP2 firewall.  Stop and restart IIS with the firewalls down and see what happens.

It is also possible that it is a virus, but not one that I've ever heard of.  Usually the IIS virii are actually worms, escalating privileges and then using the machine as a zombie.

pansophic

Macfee is completely gone, i don't know how to remove SP2 firewall,  I never made any changes to it....

I don't have Macfee on XP on other partion, there too port 80 is closed , that means it is caused by something other than Macfee

I downloaded ethereal as you suggested. I am not sure how it works ..any how i did this option->capture->capture packets in prmiscous mode, and that's what I got after 30 some sec



0000 03 00 00 00 00 02 d0 c2 20 52 41 53 00 b4 03 02 ........ RAS....
0010 03 52 54 53 53 03 00 00 00 00 00 a8 00 01 00 00 .RTSS... ........
0020 00 0f 88 01 00 49 52 46 41 4e 2d 51 51 53 51 51 .....IRF AN-QQSQQ
0030 36 36 35 00 00 41 64 6d 69 6e 69 73 74 72 61 74 665..Adm inistrat
0040 6f 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 or...... ........
0050 00 00 00 00 00 00 00 00 00 d0 c2 20 52 41 53 d0 ........ ... RAS.
0060 c2 20 52 41 53 49 00 52 00 46 00 41 00 4e 00 2d . RASI.R .F.A.N.-
0070 00 51 00 51 00 53 00 51 00 51 00 36 00 36 00 35 .Q.Q.S.Q .Q.6.6.5
0080 00 45 00 00 00 41 00 64 00 6d 00 69 00 6e 00 69 .E...A.d .m.i.n.i
0090 00 73 00 74 00 72 00 61 00 74 00 6f 00 72 00 00 .s.t.r.a .t.o.r..
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00c0 00 00 00 00 00 .....

Did you attempt to connect in to your Web Server while the capture was running?  It doesn't appear so.  What you have is an SMB message, but no incoming attempts at Web services.  You'll want to attempt from internal and external hosts if at all possible.  You should see the internal requests regardless of any firewall configuration, but you may not see the externally (internet) attempted connections if the router is not properly configured.  Seems strange if it was working before.

The "stealth" response could be coming from your broadband firewall just as easily.  If your website(s) generate much traffic at all, there should be incoming attempts showing up in the ethereal log.  Since they aren't have you checked the router to make sure that it is set up to reroute port 80 from its external address into your IIS machine?  I'm assuming that you are on a small, home-based network.

The SP2 firewall is available under network settings, right click on the network interface, select properties, click the advanced tab and press the settings button.  The firewall should be Off.

Ethereal will capture every packet that is on your network segment.  If you are running a switch, it will only capture data destined for the computer that you are running it on, and broadcast messages like the one that you posted.

You should be trying to capture a connection attempt to determine if the packets are actually getting to the web server.  If they are, you have a local host issue.  If they are not, the issue is up stream from you, like your router or ISP.

There appears to be some type of local host issue in any event, because if IIS were listening on port 80, it would have shown up in netstat, but work one problem at a time.  I'd work on the 'stealth' port 80 issue first because it is most likely to include a third party and may take some time to resolve.

Many ISPs block incoming port 80 unless you purchase 'business' connectivity.  They charge extra for this service.

After you figure out where port 80 is being 'stealthed' you can work on why IIS is not opening port 80.

pansophic