Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 79
Probe Port 80
Enter Port: 0-65535
Goto Port 81



Port Authority Database

Port 80

Name: 
http

Purpose: 
World Wide Web HTTP

Description: 
This is the primary port used by the world wide web (www) system. Web servers open this port then listen for incoming connections from web browsers. Similarly, when a web browser is given a remote address (like grc.com or amazon.com), it assumes that a remote web server will be listening for connections on port 80 at that location.

Related Ports: 
81, 82, 443, 8080, 8090




Background and Additional Information:

This port will generally be open only when a web server of some sort is running on the machine. However, as you can see from the extensive list of Trojan sightings below, there is no shortage of malicious software trying to inhabit this port. The widespread Code Red and Nimda worms are still alive, and are likely to survive out on the Internet for many more years. They continue searching for vulnerable systems into which they can reproduce wherever and whenever possible. Since they attempt to infect unpatched Microsoft web servers — even the "Personal Web Server" sometimes installed in end-user versions of Windows — Microsoft servers must always be patched and protected against worm infestation.

Due to the popularity of this port for malicious exploitation, it should never be open unless it is being actively and deliberately used to serve web pages. And then, any publicly accessible web servers must be proactively maintained and kept current with the latest security patches to keep them safe.

Many ISPs now block incoming traffic to this port before it reaches their customers. This is done for several reasons: The prevalence of malicious port 80 Trojans renders outside access to this port dangerous. Many Windows users are inadvertently running or have not patched and are not maintaining copies of Microsoft's web servers. As we know, active scanning by self-propagating worms is constantly attempting to locate and infect such servers. Additionally, the terms of service of many ISPs forbids end-users to offer web services to the Internet. Blocking incoming traffic to port 80 can be an enforcement of ISP policies as well as a significant boon to end-user security.

Poorly configured DSL and NAT routers sometimes expose their web-based configuration management interfaces to the Internet. If you are not running a local web server, and our tests show that port 80 is open on your machine, you will certainly want to determine what's going on. If you have a DSL or NAT router, be sure to check that its web interface is disabled on the "WAN" — wide area network (Internet) — side.

For information about secure web (https) connections, please see the Port Authority page for port 443.

The HTTP/1.1 RFC (the complete specification)

The specification of every nuance and detail of the current HTTP/1.1 protocol, as written by the people who invented it, may be found here:

  http://www.ietf.org/rfc/rfc2616.txt

  http://www.faqs.org/rfcs/rfc2616.html

Trojan Sightings: 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message 4 Creator, Hooker, IISworm, MTX, NCX, Noob, Ramen, Reverse WWW Tunnel Backdoor, RingZero, RTB 666, Seeker, WAN Remote, Web Server CT, WebDownloader

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page