From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 17:31:53 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 801DE16A4DD for ; Tue, 18 Jul 2006 17:31:53 +0000 (UTC) (envelope-from lupe@lupe-christoph.de) Received: from buexe.b-5.de (buexe.b-5.de [84.19.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78EBA43D8B for ; Tue, 18 Jul 2006 17:31:38 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.13.4/8.13.4/b-5/buexe-3.5) with ESMTP id k6IHVaMa004272; Tue, 18 Jul 2006 19:31:36 +0200 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id B7F4734557; Tue, 18 Jul 2006 19:31:31 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at lupe-christoph.de Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya.lupe-christoph.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Ly-Gaw6S3PHz; Tue, 18 Jul 2006 19:31:27 +0200 (CEST) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 3369B3454B; Tue, 18 Jul 2006 19:31:27 +0200 (CEST) Date: Tue, 18 Jul 2006 19:31:27 +0200 To: Clemens Renner Message-ID: <20060718173127.GD13549@lupe-christoph.de> Mail-Followup-To: Clemens Renner , freebsd-security@freebsd.org References: <44BD0846.6060405@rinux.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BD0846.6060405@rinux.net> User-Agent: Mutt/1.5.11+cvs20060403 From: lupe@lupe-christoph.de (Lupe Christoph) Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 17:31:53 -0000 On Tuesday, 2006-07-18 at 18:11:50 +0200, Clemens Renner wrote: > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred > 1 times. With IPFilter, I often see "dangling FINs" in the log. These occur when the TCP connection has been shut down but an additional FIN is still travelling. IPFilter will have abandoned the state for the connection, so for it these FIN are not associated to a connection. Since the message they gave you is of the "Danger, Will Robinson" kind, this could be the case. They can't prove it wrong. To me, this is a case of stupid until proven intelligent. HTH, Lupe Christoph PS: I thought a port scan means somebody is probing many ports. How can one packet be considered a port scan?!? -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle |