Re: Port scan from Apache?

Clemens Renner wrote:

> Hi everyone,
>
> today I got an e-mail from a company claiming that my server is doing 
> port scans on their firewall machine. I found that hard to believe so 
> I started checking the box.
>
> The company rep told me that the scan was originating at port 80 with 
> destination port 8254 on their machine. I couldn't find any hints as 
> to why that computer was subject to the alleged port scans. Searching 
> in logs and crontab entries did not reveal the domain name or IP 
> address of the machine except for my web mailer. It seems that someone 
> from the company's network is accessing the web mailer in 10-15 minute 
> intervals which is absolutely believable since one of my users works 
> for the company and checks his mail via the web mailer. The strange 
> part is that the company rep said these scans started some time on 
> Sunday, while my user definitely was not using the company's hardware.
>
> Apparently, the company uses NetScreen hardware and/or software for 
> such intrusion detection / prevention mechanisms and the log he 
> provided read:
>
> [Root]system-alert-00016: Port scan! From $my-server-ip:80 to 
> $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). 
> Occurred 1 times.

some of their clients accessed your machine a few times and had 
sequential port numbers on their side.. then netscreen got confused.
(probably)

on the safe side, run snort on your outside interface for a while.

>
> My questions are:
> 1. Can this be malicious code on my side? Both port 80 and 443 are 
> bound to Apache's httpd so they shouldn't be available to other 
> processes, right?
>
> 2. I'm using ipfw as a firewall where everything is denied except for 
> a rather tight permitting ruleset that (of course) allows 
> communication to/from port 80/443 on my machine but not to the 
> destination port 8254. If the firewall prohibits access to a remote 
> port 8254, processes on my side shouldn't be able to initiate a 
> connection to that port. If there is a connection to that port, it had 
> to be established earlier by the remote machine. Am I correct?
>
> 3. Does anyone know when the NetScreen hardware / software labels 
> something "port scan"?
>
> As far as I can tell, the server is free of malicious code, I 
> especially looked for PHP (and similar) files belonging to freely 
> available port scanners etc.; everything seems to be alright. While I 
> was investigating, no one but me was logged in.
>
> Any help is greatly appreciated!
> Clemens
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe@freebsd.org"

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"