PID 4 listening on Port 80 or Port 12345

It was interesting during one of our Vulnerability Scanning. There are lots of machines listening on port 12345, and it does has lots of connection on it. Also, PID is 4, which is system process or service.

Same thing also found on http port 80. Here are netstat command outputs.

Symptoms

C:\Windows\system32>netstat -tabno | find ":80"
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    10.20.153.50:55183     12.23.1.11:80          ESTABLISHED     4848
  TCP    10.20.153.50:56844     12.21.2.153:8014       ESTABLISHED     4848
  TCP    10.20.153.50:56916     12.21.2.153:8014       ESTABLISHED     4360
  TCP    10.20.153.50:65423     12.23.1.11:80          ESTABLISHED     4360
  TCP    [::]:80                [::]:0                 LISTENING       4

C:\Windows\system32>netstat -tabno | find ":12345"
  TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING       4
  TCP    10.20.153.50:12345     12.21.2.77:38782       TIME_WAIT       0
  TCP    [::]:12345             [::]:0                 LISTENING       4
  TCP    [::1]:12345            [::1]:57035            ESTABLISHED     4
  TCP    [::1]:12345            [::1]:60795            ESTABLISHED     4
  TCP    [::1]:12345            [::1]:63369            ESTABLISHED     4
  TCP    [::1]:57035            [::1]:12345            ESTABLISHED     8760
  TCP    [::1]:60795            [::1]:12345            ESTABLISHED     11252
  TCP    [::1]:63369            [::1]:12345            ESTABLISHED     14776

One thing I tried is to use browser to connect to it and see what it is. IE would connect if you browse to that IP on port 12345 or 80. 

If you check the HTTP.sys  logs (in C:\Windows\System32\LogFiles\HTTPERR) you will see something like this:

#Software: Microsoft HTTP API 2.0

#Version: 1.0

#Date: 2019-03-06 22:38:58

#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename

2019-03-06 22:38:57 12.21.2.77 60037 10.10.80.109 12345 HTTP/1.1 GET /phpticket/ 400 - Hostname -

2019-03-06 22:38:57 17.21.2.77 60039 10.10.80.109 12345 HTTP/1.1 GET /cgi-bin/gm/ 400 - Hostname -

2019-03-06 22:38:58 12.21.2.77 60048 10.10.80.109 12345 HTTP/1.1 GET /cgi-bin/phpticket/ 400 - Hostname -

2019-03-06 22:38:58 12.21.2.77 60050 10.10.80.109 12345 HTTP/1.1 GET /cgi/gm/ 400 - Hostname -

2019-03-06 22:38:58 12.21.2.77 60062 10.10.80.109 12345 HTTP/1.1 GET /php/phpticket/ 400 - Hostname -

2019-03-06 22:38:58 12.21.2.77 60064 10.10.80.109 12345 HTTP/1.1 GET /cgi-bin/greymatter/ 400 - Hostname -

Fix Solutions

After a google research, I found there are many services in windows 7 or windows 10 system, which can listen port 80. Basically, you need to disable the HTTP.sys driver which is started on demand by another service, such as Windows Remote Management or Print Spooler on Windows 7 or 2008.

Luckily you can detect and stop them all running simple console command:

NET stop HTTP

When you'll start it, you will get list first: 

To avoid this problem in future go to Local Services and disable listed services.

N.B. - Some services will restart themselves immediately, just run 'NET stop HTTP' few times.

Other Solutions

There are a couple of other ways to disable this service or fix it :

1. Registry change

• Launch RegEdit.
• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP
• Change the value of "start" to 4, which means disabled.
• Reboot your computer.

2. Change the binded IP address for HTTP.SYS

netsh http add iplisten ipaddress=::

http://www.mikeplate.com/2011/11/06/stop-http-sys-from-listening-on-port-80-in-windows/

References

• PID:4 using Port 80
• Port 80 is being used by SYSTEM (PID 4), what is that?