Port scan from Apache?

Michael Scheidell scheidell at secnap.net
Fri Jul 21 12:42:49 UTC 2006

> -----Original Message-----
> From: owner-freebsd-security at freebsd.org 
> [mailto:owner-freebsd-security at freebsd.org] On Behalf Of comm at rwx.ca
> Sent: Friday, July 21, 2006 12:43 AM
> To: Clemens Renner
> Cc: freebsd-security at freebsd.org
> Subject: Re: Port scan from Apache?
> Clemens Renner wrote:
> > Hi everyone,
> >
> > today I got an e-mail from a company claiming that my 
> server is doing
> > port scans on their firewall machine. I found that hard to 
> believe so 
> > I started checking the box.

Let me put my 2/c (CAD) into this, as a user of netscreens, the CTO of a
Managed network security service.

The person who sent you the 'alert' might be wrong.

We see "port scans" from web servers (incrementing source ports > 1024,
destination port 80) and it is usually just noise, internet traffic, and
the failure of his netscreen to properly close the connection.

Can you correlate the netscreen logs with times his users have accessed
your web site?

Do you have complaints from just this one person? Send him a note
telling him this is just normal internet traffic and that he should try
to understand the three way TCP handshake, and what stateful firewalls
do when they close their side of the TCP connection before you do.

If it happens A LOT, to lots of different networks, then, well, it is
possible you have a worm, do a tcpdump on the traffic and look for it.

Another possibility, is that your web site spawns many different http
threads for each user connection
(do you have a zillion thumbnail gifs? Each one could spawn a different
tcp connection)

Do you have an unusually high keep-alive?
It YOUR firewall closing (timing out) the tcp connection?

Mostly, if this was just one complaint, grep your web server logs for
his user connecting, tell him this is just normal tcp traffic and go
about your business from then on.

If he gets rude, blacklist him and/or send him a $50 lawyer letter and
tell him to either drop dead or call his local FBI (or RCMP) office.

More information about the freebsd-security mailing list