Port scan from Apache?

Nigel Houghton nigel at sourcefire.com
Tue Jul 18 16:36:14 UTC 2006 

On  0, Clemens Renner <claim at rinux.net> wrote:
> Hi everyone,
> 
> today I got an e-mail from a company claiming that my server is doing 
> port scans on their firewall machine. I found that hard to believe so I 
> started checking the box.
> 
> The company rep told me that the scan was originating at port 80 with 
> destination port 8254 on their machine. I couldn't find any hints as to 
> why that computer was subject to the alleged port scans. Searching in 
> logs and crontab entries did not reveal the domain name or IP address of 
> the machine except for my web mailer. It seems that someone from the 
> company's network is accessing the web mailer in 10-15 minute intervals 
> which is absolutely believable since one of my users works for the 
> company and checks his mail via the web mailer. The strange part is that 
> the company rep said these scans started some time on Sunday, while my 
> user definitely was not using the company's hardware.
> 
> Apparently, the company uses NetScreen hardware and/or software for such 
> intrusion detection / prevention mechanisms and the log he provided read:
> 
> [Root]system-alert-00016: Port scan! From $my-server-ip:80 to 
> $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred 
> 1 times.
> 
> My questions are:
> 1. Can this be malicious code on my side? Both port 80 and 443 are bound 
> to Apache's httpd so they shouldn't be available to other processes, right?
> 
> 2. I'm using ipfw as a firewall where everything is denied except for a 
> rather tight permitting ruleset that (of course) allows communication 
> to/from port 80/443 on my machine but not to the destination port 8254. 
> If the firewall prohibits access to a remote port 8254, processes on my 
> side shouldn't be able to initiate a connection to that port. If there 
> is a connection to that port, it had to be established earlier by the 
> remote machine. Am I correct?
> 
> 3. Does anyone know when the NetScreen hardware / software labels 
> something "port scan"?
> 
> As far as I can tell, the server is free of malicious code, I especially 
> looked for PHP (and similar) files belonging to freely available port 
> scanners etc.; everything seems to be alright. While I was 
> investigating, no one but me was logged in.
> 
> Any help is greatly appreciated!
> Clemens

Ask them for a packet capture of the incident(s). It may well be that
they have a false positive case on their hands. Portscan detection is
very much prone to false positives, many things can appear to be
portscans when they really aren't.

A log message like the one they gave you is nowhere near enough
information to determine if the attempt was a real portscan or not.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.

More information about the freebsd-security mailing list