Port scan from Apache?
Julian Elischer
julian at elischer.org
Tue Jul 18 16:39:08 UTC 2006
Clemens Renner wrote:
> Hi everyone,
>
> today I got an e-mail from a company claiming that my server is doing
> port scans on their firewall machine. I found that hard to believe so
> I started checking the box.
>
> The company rep told me that the scan was originating at port 80 with
> destination port 8254 on their machine. I couldn't find any hints as
> to why that computer was subject to the alleged port scans. Searching
> in logs and crontab entries did not reveal the domain name or IP
> address of the machine except for my web mailer. It seems that someone
> from the company's network is accessing the web mailer in 10-15 minute
> intervals which is absolutely believable since one of my users works
> for the company and checks his mail via the web mailer. The strange
> part is that the company rep said these scans started some time on
> Sunday, while my user definitely was not using the company's hardware.
>
> Apparently, the company uses NetScreen hardware and/or software for
> such intrusion detection / prevention mechanisms and the log he
> provided read:
>
> [Root]system-alert-00016: Port scan! From $my-server-ip:80 to
> $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1).
> Occurred 1 times.
some of their clients accessed your machine a few times and had
sequential port numbers on their side.. then netscreen got confused.
(probably)
on the safe side, run snort on your outside interface for a while.
>
> My questions are:
> 1. Can this be malicious code on my side? Both port 80 and 443 are
> bound to Apache's httpd so they shouldn't be available to other
> processes, right?
>
> 2. I'm using ipfw as a firewall where everything is denied except for
> a rather tight permitting ruleset that (of course) allows
> communication to/from port 80/443 on my machine but not to the
> destination port 8254. If the firewall prohibits access to a remote
> port 8254, processes on my side shouldn't be able to initiate a
> connection to that port. If there is a connection to that port, it had
> to be established earlier by the remote machine. Am I correct?
>
> 3. Does anyone know when the NetScreen hardware / software labels
> something "port scan"?
>
> As far as I can tell, the server is free of malicious code, I
> especially looked for PHP (and similar) files belonging to freely
> available port scanners etc.; everything seems to be alright. While I
> was investigating, no one but me was logged in.
>
> Any help is greatly appreciated!
> Clemens
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list