Date: Tue, 18 Jul 2006 11:36:07 -0500 From: Nigel Houghton <nigel@sourcefire.com> To: Clemens Renner <claim@rinux.net> Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? Message-ID: <20060718163606.GI3238@sourcefire.com> In-Reply-To: <44BD0846.6060405@rinux.net> References: <44BD0846.6060405@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 0, Clemens Renner <claim@rinux.net> wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so I > started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as to > why that computer was subject to the alleged port scans. Searching in > logs and crontab entries did not reveal the domain name or IP address of > the machine except for my web mailer. It seems that someone from the > company's network is accessing the web mailer in 10-15 minute intervals > which is absolutely believable since one of my users works for the > company and checks his mail via the web mailer. The strange part is that > the company rep said these scans started some time on Sunday, while my > user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for such > intrusion detection / prevention mechanisms and the log he provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred > 1 times. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are bound > to Apache's httpd so they shouldn't be available to other processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for a > rather tight permitting ruleset that (of course) allows communication > to/from port 80/443 on my machine but not to the destination port 8254. > If the firewall prohibits access to a remote port 8254, processes on my > side shouldn't be able to initiate a connection to that port. If there > is a connection to that port, it had to be established earlier by the > remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I especially > looked for PHP (and similar) files belonging to freely available port > scanners etc.; everything seems to be alright. While I was > investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens Ask them for a packet capture of the incident(s). It may well be that they have a false positive case on their hands. Portscan detection is very much prone to false positives, many things can appear to be portscans when they really aren't. A log message like the one they gave you is nowhere near enough information to determine if the attempt was a real portscan or not. +--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team There is no theory of evolution, just a list of creatures Vin Diesel allows to live.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060718163606.GI3238>