Re: Port scan from Apache?

On 0, Clemens Renner <claim@xxxxxxxxx> wrote:
Hi everyone,

today I got an e-mail from a company claiming that my server is doing
port scans on their firewall machine. I found that hard to believe so I
started checking the box.

The company rep told me that the scan was originating at port 80 with
destination port 8254 on their machine. I couldn't find any hints as to
why that computer was subject to the alleged port scans. Searching in
logs and crontab entries did not reveal the domain name or IP address of
the machine except for my web mailer. It seems that someone from the
company's network is accessing the web mailer in 10-15 minute intervals
which is absolutely believable since one of my users works for the
company and checks his mail via the web mailer. The strange part is that
the company rep said these scans started some time on Sunday, while my
user definitely was not using the company's hardware.

Apparently, the company uses NetScreen hardware and/or software for such
intrusion detection / prevention mechanisms and the log he provided read:

[Root]system-alert-00016: Port scan! From $my-server-ip:80 to
$their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred
1 times.

My questions are:
1. Can this be malicious code on my side? Both port 80 and 443 are bound
to Apache's httpd so they shouldn't be available to other processes, right?

2. I'm using ipfw as a firewall where everything is denied except for a
rather tight permitting ruleset that (of course) allows communication
to/from port 80/443 on my machine but not to the destination port 8254.
If the firewall prohibits access to a remote port 8254, processes on my
side shouldn't be able to initiate a connection to that port. If there
is a connection to that port, it had to be established earlier by the
remote machine. Am I correct?

3. Does anyone know when the NetScreen hardware / software labels
something "port scan"?

As far as I can tell, the server is free of malicious code, I especially
looked for PHP (and similar) files belonging to freely available port
scanners etc.; everything seems to be alright. While I was
investigating, no one but me was logged in.

Any help is greatly appreciated!

Ask them for a packet capture of the incident(s). It may well be that
they have a false positive case on their hands. Portscan detection is
very much prone to false positives, many things can appear to be
portscans when they really aren't.

A log message like the one they gave you is nowhere near enough
information to determine if the attempt was a real portscan or not.

Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team

There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"