What's new

Merlin RT-AC86U 384.16 - Port Scan Shows TCP 80 ---> OPEN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cousinit99

New Around Here
Can anyone else confirm or corroborate this for me, please? I've run a port scan from multiple sites and all show port 80 as being open, despite all the usual suspects being tamped down. External UI access is disabled, insecure http LAN access disabled, port forwarding disabled, UPNP disabled, AICloud 2.0 disabled, no ports for any services configured for port 80 (even if they're disabled), and the Router Security Assessment is green across the board. I show the same anomaly on a second router as well, which is a RT-AC68U.

When I take one of the routers temporarily offline, the port scan shows that the port is no longer open because the host is no longer available to be scanned. This automatically rules out ISP equipment or involvement. The routers, themselves, have a port open on TCP 80, despite all UI configurations to the contrary. The port should not be open, or even reported closed. It should be stealth.

Based on my testing, versions 384.14_2 and 384.15 are also affected.

Fiddler returns "ReadResponse() failed: The server did not return a complete response for this request. Server returned 0 bytes" when attempting to connect to it, which to me means there is a service running and exposed to some degree.

This is highly concerning to me. Can I possibly get some corroboration, please? Is this a known issue already?
 
Last edited:
This may be caused by your ISP blocking incoming connections for port 80, or your router not having a public IP address so you're hitting one of your ISP's servers instead.

Does your router WAN IP address shown on Network Map match that shown by canyouseeme.org ?
 
I'm not sure what you're getting at. Both routers have a public IP address and are geographically dislocated with different ISPs. I'm not sure you're understanding the nature of my concern here.

When I take one of the routers temporarily offline, the port scan shows that the port is no longer open because the host is no longer available to be scanned. This automatically rules out ISP equipment or involvement. The routers, themselves, have a port open on TCP 80, despite all UI configurations to the contrary. The port should not be open, or even reported closed. It should be stealth.
 
I'm not sure what you're getting at. Both routers have a public IP address and are geographically dislocated with different ISPs.
Yes I misunderstood you. I thought both routers were at the same location and the "multiple sites" referred to the source of the test connection.
 
You have an RT-AC68U, correct? Do you show TCP 80 being open on your router?
Port 80 has never shown as open for my router. But I'm not running the same firmware as you so that's not a valid comparison. You are correct in that port 80 should not be open (unless done deliberately). That's a pretty fundamental part of the router's design. It's possible some sort of bug has crept into the recent releases but people running those versions would have to test that.
 
Port 80 has never shown as open for my router. But I'm not running the same firmware as you so that's not a valid comparison. You are correct in that port 80 should not be open (unless done deliberately). That's a pretty fundamental part of the router's design. It's possible some sort of bug has crept into the recent releases but people running those versions would have to test that.
I face-palmed myself just now after noticing your firmware version. Ok, thanks.
 
ssh into your router and issue the following command. It might give us a clue as to what's happening.
Code:
netstat -nlp | grep ":80"
Code:
admin@RT-AC68U:/# netstat -nlp | grep ":80"
tcp        0      0 192.168.1.1:80          0.0.0.0:*               LISTEN      654/httpd
 
Are you running a VPN client on the router? If you are, you are scanning your providers VPN server and not your local LAN.
 
If port 80 shows as being open, access it with a web browser to see who answers on it.

The port should not be open, or even reported closed. It should be stealth.

Some ISPs actively drop inbound connections on server ports like 80 or 25, which would cause these to show as closed instead of stealth.

Closed is just as secure as stealth, despite what these old sites like GRC may claim.
 
ssh into your router and issue the following command. It might give us a clue as to what's happening.
Code:
netstat -nlp | grep ":80"
Code:
admin@RT-AC68U:/# netstat -nlp | grep ":80"
tcp        0      0 192.168.1.1:80          0.0.0.0:*               LISTEN      654/httpd

Thanks for the netstat command. I should know these things. Apparently there's a VPN server set up on both of these routers that I wasn't aware of. I've got some more digging to do. Thanks to all for the help.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top