Date: Fri, 21 Jul 2006 08:42:47 -0400 From: "Michael Scheidell" <scheidell@secnap.net> To: "Clemens Renner" <claim@rinux.net> Cc: freebsd-security@freebsd.org Subject: RE: Port scan from Apache? Message-ID: <B3BCAF4246A8A84983A80DAB50FE72424C6920@secnap2.secnap.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of comm@rwx.ca > Sent: Friday, July 21, 2006 12:43 AM > To: Clemens Renner > Cc: freebsd-security@freebsd.org > Subject: Re: Port scan from Apache? >=20 >=20 > Clemens Renner wrote: > > Hi everyone, > > > > today I got an e-mail from a company claiming that my=20 > server is doing > > port scans on their firewall machine. I found that hard to=20 > believe so=20 > > I started checking the box. Let me put my 2/c (CAD) into this, as a user of netscreens, the CTO of a Managed network security service. The person who sent you the 'alert' might be wrong. We see "port scans" from web servers (incrementing source ports > 1024, destination port 80) and it is usually just noise, internet traffic, and the failure of his netscreen to properly close the connection. Can you correlate the netscreen logs with times his users have accessed your web site? Do you have complaints from just this one person? Send him a note telling him this is just normal internet traffic and that he should try to understand the three way TCP handshake, and what stateful firewalls do when they close their side of the TCP connection before you do. If it happens A LOT, to lots of different networks, then, well, it is possible you have a worm, do a tcpdump on the traffic and look for it. Another possibility, is that your web site spawns many different http threads for each user connection (do you have a zillion thumbnail gifs? Each one could spawn a different tcp connection) Do you have an unusually high keep-alive? It YOUR firewall closing (timing out) the tcp connection? Mostly, if this was just one complaint, grep your web server logs for his user connecting, tell him this is just normal tcp traffic and go about your business from then on. If he gets rude, blacklist him and/or send him a $50 lawyer letter and tell him to either drop dead or call his local FBI (or RCMP) office.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B3BCAF4246A8A84983A80DAB50FE72424C6920>