A wild httpd server

So today I was doing some investigation to see how easy I could set up a gallery server for someone for use on the home LAN (sidenote: feel free to suggest your favuorite alternative) using a WAMP server, and apache was moaning about port 80 already being in use, I move it to another port and it's fine.

That leaves the question of what the hell is on port 80. I look at http://localhost and it gives me a generic 404 error. This is odd because I don't recall setting up a server to always be running, although I do have a number of stray WAMPs from various little projects I've done in the past. While I like to know what's running on my computer and run it 'clean', I'd say I'm probably not above forgetting something. I'm not aware of any malicious activity, and a recent spybot scan didn't pick up anything, so I'm trying to identify what it is.

Some things I've found:
There's nothing in the process list that clearly identifies itself as a httpd server, there's no services (running or not) that identify as a httpd server that I'm aware of. Using Sysinternals TCPview, at the moment I request localhost I get an entry from "[System Process]". I can't access the server from another computer on the LAN, which gets a "can't find any server" error from the browser (and I'm on a NAT router, so I'm not overly concerned about external hax0rs on my PC stealing my megahurtz... yet).

Which flavor of Windows? Do the Sysinternals tools show you a listening port on 80? If it's listening only on 127.0.0.1:80, it'll be some kind of local utility, but if it's listening on 0.0.0.0:80, then it may be reachable from elsewhere.

Oh, even if it's 127.0.0.1:80, it could be some kind of evil proxy. Don't rule out evil just yet. Don't rule it in, either, we don't know enough.

Oh, and what does netstat -an tell you? Try -anb also, and see if you can determine what program owns port 80, if you see it open.

You can find the process ID of the server using netstat, then look up that process ID in task manager.

$ netstat -oan | findstr ":80"

Look under View > Select Columns if the Process ID column isn't showing.

I assume you've already checked the response headers to see if the server identifies itself there.

>netstat -oan | findstr ":80" Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 TCP [::]:80 [::]:0 LISTENING 4

Process ID 4 is System

The respective lines from -anb

Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING Can not obtain ownership information TCP [::]:80 [::]:0 LISTENING Can not obtain ownership information

Server response:

$ wget -S localhost --2012-05-31 18:43:52-- http://localhost/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 31 May 2012 17:43:52 GMT Connection: close Content-Length: 315 2012-05-31 18:43:52 ERROR 404: Not Found.

More in a while. If I had to guess right now I'd say it's a mini-IIS installed along with a bit of VS Express Web-whateverit'scalled.

Scratched wrote:

More in a while. If I had to guess right now I'd say it's a mini-IIS installed along with a bit of VS Express Web-whateverit'scalled.

If it's running as part of system, that seems likely. It probably has a default document setup (usually "Default.asp, Default.aspx, Default.htm") but that file doesn't actually exist.

Found it:
IMAGE(http://i.imgur.com/dHchv.jpg)

After uninstall, no more listening on port 80. It is kind of curious the amount of various ports going around at any time on my computer. There's a bunch around the 49000-50000ish range that I suspect are a transparent proxy run by MSE.

Also after running around and uninstalling a bunch of stuff, it reminds me how messy and non-uniform all the MS setup wizards are. If they were to put their foot down and insist on forcing everyone into a package management system for Windows8 I would be perfectly happy with that, but I don't think their app store is the solution to that.

Scratched wrote:

If they were to put their foot down and insist on forcing everyone into a package management system for Windows8 I would be perfectly happy with that, but I don't think their app store is the solution to that.

I think that's essentially what the MSI system is intended to be, just without the "putting their foot down" part.

I guess I'm looking for something a step towards a linux package manager plus repositories. It's true they've got all the component parts, they just haven't put them together in a way that's good to use for whatever reason. In this day and age why can't I just subscribe to parts of a repository and it works everything out, dependencies, updating - it's all there but disjointed, and from and end-user perspective it's not 'clean'. With regards my problem it's not quick and easy to track down what did what (I just uninstalled a bunch of random webdev stuff).

I know it's one of the downsides to an open system, so there's a weird middleground between distributing things online and also as though they were offline and standalone. Even for gaming it would be nice if a game could just 'request' the latest runtime and it just verifies it has the relevant version against the online db.

I suppose that's part of why I don't have confidence in the long term survivability of windows, among other reasons. Part of what triggered that rant was just having setup a laptop for someone in the last few days - why can't windows update just do it's thing in one go?