From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 16:36:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D6EB16A600 for ; Tue, 18 Jul 2006 16:36:14 +0000 (UTC) (envelope-from nigel@sourcefire.com) Received: from sourcefire.com (gi.sourcefire.com [65.202.215.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C11B943D4C for ; Tue, 18 Jul 2006 16:36:11 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from localhost (localhost.localdomain [127.0.0.1]) by sourcefire.com (Postfix) with ESMTP id BDFA21CC030; Tue, 18 Jul 2006 12:36:10 -0400 (EDT) Received: from sourcefire.com ([127.0.0.1]) by localhost (mail.it.sourcefire.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30488-10; Tue, 18 Jul 2006 12:36:10 -0400 (EDT) Received: from localhost (unknown [10.2.3.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sourcefire.com (Postfix) with ESMTP id EB5AE1CC02D; Tue, 18 Jul 2006 12:36:09 -0400 (EDT) Date: Tue, 18 Jul 2006 11:36:07 -0500 From: Nigel Houghton To: Clemens Renner Message-ID: <20060718163606.GI3238@sourcefire.com> Mail-Followup-To: Clemens Renner , freebsd-security@freebsd.org References: <44BD0846.6060405@rinux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BD0846.6060405@rinux.net> X-Virus-Scanned: Sourcefire AV 1.3.2 Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 16:36:14 -0000 On 0, Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so I > started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as to > why that computer was subject to the alleged port scans. Searching in > logs and crontab entries did not reveal the domain name or IP address of > the machine except for my web mailer. It seems that someone from the > company's network is accessing the web mailer in 10-15 minute intervals > which is absolutely believable since one of my users works for the > company and checks his mail via the web mailer. The strange part is that > the company rep said these scans started some time on Sunday, while my > user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for such > intrusion detection / prevention mechanisms and the log he provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred > 1 times. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are bound > to Apache's httpd so they shouldn't be available to other processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for a > rather tight permitting ruleset that (of course) allows communication > to/from port 80/443 on my machine but not to the destination port 8254. > If the firewall prohibits access to a remote port 8254, processes on my > side shouldn't be able to initiate a connection to that port. If there > is a connection to that port, it had to be established earlier by the > remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I especially > looked for PHP (and similar) files belonging to freely available port > scanners etc.; everything seems to be alright. While I was > investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens Ask them for a packet capture of the incident(s). It may well be that they have a false positive case on their hands. Portscan detection is very much prone to false positives, many things can appear to be portscans when they really aren't. A log message like the one they gave you is nowhere near enough information to determine if the attempt was a real portscan or not. +--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team There is no theory of evolution, just a list of creatures Vin Diesel allows to live.