From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 16:39:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 664A016A4E7 for ; Tue, 18 Jul 2006 16:39:08 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB86743D46 for ; Tue, 18 Jul 2006 16:39:07 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [192.168.2.4]) ([10.251.60.21]) by a50.ironport.com with ESMTP; 18 Jul 2006 09:39:07 -0700 Message-ID: <44BD0EAB.9050001@elischer.org> Date: Tue, 18 Jul 2006 09:39:07 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Clemens Renner References: <44BD0846.6060405@rinux.net> In-Reply-To: <44BD0846.6060405@rinux.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 18 Jul 2006 17:18:41 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 16:39:08 -0000 Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so > I started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as > to why that computer was subject to the alleged port scans. Searching > in logs and crontab entries did not reveal the domain name or IP > address of the machine except for my web mailer. It seems that someone > from the company's network is accessing the web mailer in 10-15 minute > intervals which is absolutely believable since one of my users works > for the company and checks his mail via the web mailer. The strange > part is that the company rep said these scans started some time on > Sunday, while my user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for > such intrusion detection / prevention mechanisms and the log he > provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). > Occurred 1 times. some of their clients accessed your machine a few times and had sequential port numbers on their side.. then netscreen got confused. (probably) on the safe side, run snort on your outside interface for a while. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are > bound to Apache's httpd so they shouldn't be available to other > processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for > a rather tight permitting ruleset that (of course) allows > communication to/from port 80/443 on my machine but not to the > destination port 8254. If the firewall prohibits access to a remote > port 8254, processes on my side shouldn't be able to initiate a > connection to that port. If there is a connection to that port, it had > to be established earlier by the remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I > especially looked for PHP (and similar) files belonging to freely > available port scanners etc.; everything seems to be alright. While I > was investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"