Port scan from Apache?
Nigel Houghton
nigel at sourcefire.com
Tue Jul 18 16:36:14 UTC 2006
On 0, Clemens Renner <claim at rinux.net> wrote:
> Hi everyone,
>
> today I got an e-mail from a company claiming that my server is doing
> port scans on their firewall machine. I found that hard to believe so I
> started checking the box.
>
> The company rep told me that the scan was originating at port 80 with
> destination port 8254 on their machine. I couldn't find any hints as to
> why that computer was subject to the alleged port scans. Searching in
> logs and crontab entries did not reveal the domain name or IP address of
> the machine except for my web mailer. It seems that someone from the
> company's network is accessing the web mailer in 10-15 minute intervals
> which is absolutely believable since one of my users works for the
> company and checks his mail via the web mailer. The strange part is that
> the company rep said these scans started some time on Sunday, while my
> user definitely was not using the company's hardware.
>
> Apparently, the company uses NetScreen hardware and/or software for such
> intrusion detection / prevention mechanisms and the log he provided read:
>
> [Root]system-alert-00016: Port scan! From $my-server-ip:80 to
> $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred
> 1 times.
>
> My questions are:
> 1. Can this be malicious code on my side? Both port 80 and 443 are bound
> to Apache's httpd so they shouldn't be available to other processes, right?
>
> 2. I'm using ipfw as a firewall where everything is denied except for a
> rather tight permitting ruleset that (of course) allows communication
> to/from port 80/443 on my machine but not to the destination port 8254.
> If the firewall prohibits access to a remote port 8254, processes on my
> side shouldn't be able to initiate a connection to that port. If there
> is a connection to that port, it had to be established earlier by the
> remote machine. Am I correct?
>
> 3. Does anyone know when the NetScreen hardware / software labels
> something "port scan"?
>
> As far as I can tell, the server is free of malicious code, I especially
> looked for PHP (and similar) files belonging to freely available port
> scanners etc.; everything seems to be alright. While I was
> investigating, no one but me was logged in.
>
> Any help is greatly appreciated!
> Clemens
Ask them for a packet capture of the incident(s). It may well be that
they have a false positive case on their hands. Portscan detection is
very much prone to false positives, many things can appear to be
portscans when they really aren't.
A log message like the one they gave you is nowhere near enough
information to determine if the attempt was a real portscan or not.
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
More information about the freebsd-security
mailing list