Port scan from Apache?

Fri Jul 21 08:25:32 UTC 2006

Here Guys:

i believe that people who deployed netscreen are quite sure in what they are doing and a friendly notice should not sound like a complaint to u but instead 
become a solid ground to understanding what could go wrong. Ofcourse if they proudly told you that they ARE using the netscreen. Peeking on log entries provided to u and announcing it on public doesnt make an electronic robinhood scene. unless this is a.. "Do you guys know how does the damn netscreen detect portscans, really..?"

> 3. Does anyone know when the NetScreen hardware / software labels 
> something "port scan"?

isnt that an indirect hit? i suggest u ask ur question directly to the sender dropping this sneaky habbits in freebsd-security list. thats what it is about

Nash

"comm at rwx.ca" <comm at rwx.ca> wrote: Clemens Renner wrote:
> Hi everyone,
>
> today I got an e-mail from a company claiming that my server is doing 
> port scans on their firewall machine. I found that hard to believe so 
> I started checking the box.
>
> The company rep told me that the scan was originating at port 80 with 
> destination port 8254 on their machine. I couldn't find any hints as 
> to why that computer was subject to the alleged port scans. Searching 
> in logs and crontab entries did not reveal the domain name or IP 
> address of the machine except for my web mailer. It seems that someone 
> from the company's network is accessing the web mailer in 10-15 minute 
> intervals which is absolutely believable since one of my users works 
> for the company and checks his mail via the web mailer. The strange 
> part is that the company rep said these scans started some time on 
> Sunday, while my user definitely was not using the company's hardware.
>
> Apparently, the company uses NetScreen hardware and/or software for 
> such intrusion detection / prevention mechanisms and the log he 
> provided read:
>
> [Root]system-alert-00016: Port scan! From $my-server-ip:80 to 
> $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). 
> Occurred 1 times.
>
> My questions are:
> 1. Can this be malicious code on my side? Both port 80 and 443 are 
> bound to Apache's httpd so they shouldn't be available to other 
> processes, right?
>
> 2. I'm using ipfw as a firewall where everything is denied except for 
> a rather tight permitting ruleset that (of course) allows 
> communication to/from port 80/443 on my machine but not to the 
> destination port 8254. If the firewall prohibits access to a remote 
> port 8254, processes on my side shouldn't be able to initiate a 
> connection to that port. If there is a connection to that port, it had 
> to be established earlier by the remote machine. Am I correct?
>
> 3. Does anyone know when the NetScreen hardware / software labels 
> something "port scan"?
>
> As far as I can tell, the server is free of malicious code, I 
> especially looked for PHP (and similar) files belonging to freely 
> available port scanners etc.; everything seems to be alright. While I 
> was investigating, no one but me was logged in.
>
> Any help is greatly appreciated!
> Clemens
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe at freebsd.org"
>
We had a client that was being bombarded with a SYN flood on port 80, 
and of course enabling syn cookies helped. However all the IP's that 
were sending the SYN flood were spoofed, and we were getting complains 
left right and center of this customer DoSing or port scanning other 
customers. In the end, we just asked the complainant to provide move 
verbose logging of the incident.

-jt
_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.  Great rates starting at 1¢/min.