Port scan from Apache?

Hi everyone,

today I got an e-mail from a company claiming that my server is doing port scans on their firewall machine. I found that hard to believe so I started checking the box.

The company rep told me that the scan was originating at port 80 with destination port 8254 on their machine. I couldn't find any hints as to why that computer was subject to the alleged port scans. Searching in logs and crontab entries did not reveal the domain name or IP address of the machine except for my web mailer. It seems that someone from the company's network is accessing the web mailer in 10-15 minute intervals which is absolutely believable since one of my users works for the company and checks his mail via the web mailer. The strange part is that the company rep said these scans started some time on Sunday, while my user definitely was not using the company's hardware.

Apparently, the company uses NetScreen hardware and/or software for such intrusion detection / prevention mechanisms and the log he provided read:

[Root]system-alert-00016: Port scan! From $my-server-ip:80 to $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred 1 times.

My questions are:
1. Can this be malicious code on my side? Both port 80 and 443 are bound to Apache's httpd so they shouldn't be available to other processes, right?

2. I'm using ipfw as a firewall where everything is denied except for a rather tight permitting ruleset that (of course) allows communication to/from port 80/443 on my machine but not to the destination port 8254. If the firewall prohibits access to a remote port 8254, processes on my side shouldn't be able to initiate a connection to that port. If there is a connection to that port, it had to be established earlier by the remote machine. Am I correct?

3. Does anyone know when the NetScreen hardware / software labels something "port scan"?

As far as I can tell, the server is free of malicious code, I especially looked for PHP (and similar) files belonging to freely available port scanners etc.; everything seems to be alright. While I was investigating, no one but me was logged in.

Any help is greatly appreciated!
Clemens
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Activesync / Airsync - Alternative Ports
    ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ...
    (microsoft.public.pocketpc.activesync)
  • Re: Activesync / Airsync - Alternative Ports
    ... "Chris De Herrera" wrote: ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ...
    (microsoft.public.pocketpc.activesync)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)