Date: Tue, 18 Jul 2006 09:39:07 -0700 From: Julian Elischer <julian@elischer.org> To: Clemens Renner <claim@rinux.net> Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? Message-ID: <44BD0EAB.9050001@elischer.org> In-Reply-To: <44BD0846.6060405@rinux.net> References: <44BD0846.6060405@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so > I started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as > to why that computer was subject to the alleged port scans. Searching > in logs and crontab entries did not reveal the domain name or IP > address of the machine except for my web mailer. It seems that someone > from the company's network is accessing the web mailer in 10-15 minute > intervals which is absolutely believable since one of my users works > for the company and checks his mail via the web mailer. The strange > part is that the company rep said these scans started some time on > Sunday, while my user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for > such intrusion detection / prevention mechanisms and the log he > provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). > Occurred 1 times. some of their clients accessed your machine a few times and had sequential port numbers on their side.. then netscreen got confused. (probably) on the safe side, run snort on your outside interface for a while. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are > bound to Apache's httpd so they shouldn't be available to other > processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for > a rather tight permitting ruleset that (of course) allows > communication to/from port 80/443 on my machine but not to the > destination port 8254. If the firewall prohibits access to a remote > port 8254, processes on my side shouldn't be able to initiate a > connection to that port. If there is a connection to that port, it had > to be established earlier by the remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I > especially looked for PHP (and similar) files belonging to freely > available port scanners etc.; everything seems to be alright. While I > was investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BD0EAB.9050001>