Re: Logs: Many hits with source port of 80

From: Joe Stewart (jstewart@lurhq.com)
Date: 12/16/02

  • Next message: Matt Zimmerman: "Re: DNS help"
    From: Joe Stewart <jstewart@lurhq.com>
    To: "Byrne Ghavalas" <security@nscs.uk.com>
    Date: Mon, 16 Dec 2002 10:27:32 -0500
    
    

    On Friday 13 December 2002 05:05 am, Byrne Ghavalas wrote:
    > Hi All,
    >
    > Has anyone else noticed a high number of hits in their security logs,
    > where the source port is set to tcp 80 and the destination port is some
    > high tcp port? I have noticed that these events seem to be getting more
    > numerous than the NetBios scans ;-)
    >
    > For example:
    > 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
    > 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
    > 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439

    Hi,

    Whenever I get a source-port-80-to-high-port scan I suspect network
    misconfiguration/lost state connection on the firewall. (Never attribute
    to malice that which can be adequately explained by stupidity) An easy
    way to check is telnet to port 80 on the source host. In this case:

    [test@test test]$ telnet 194.78.225.36 80
    Trying 194.78.225.36...
    Connected to 194.78.225.36 (194.78.225.36).
    Escape character is '^]'.
    GET / HTTP/1.0

    HTTP/1.1 505 HTTP Version not supported
    Date: Mon, 16 Dec 2002 15:03:11 GMT
    Content-Length: 215
    Content-Type: text/html
    Server: Footprint Distributor V2.0
    Connection: close

    <HTML><HEAD>
    <TITLE>505 HTTP Version Not Supported</TITLE>
    <BODY><H1>HTTP Version Not Supported</H1>
    The requested URL, "http://194.78.225.36:8808/", cannot be accessed using your
    current browser.<P>
    </BODY></HTML>
    Connection closed by foreign host.

    Hmm. "Footprint Distributor V2.0". Sounds like a load balancer. Some Googling
    turns up a product called "Footprint" from a company called Sandpiper that
    does distributed content caching. Lets see if they actually use the product to
    serve their own website:

    [test@test test]$ telnet www.sandpiper.net 80
    Trying 63.208.96.131...
    Connected to unknown.Level3.net (63.208.96.131).
    Escape character is '^]'.
    GET / HTTP/1.1
    HTTP/1.0 408 Request Time-out
    Server: Footprint 2.0/FPMCP
    Mime-Version: 1.0
    Date: Mon, 16 Dec 2002 15:15:19 GMT
    Content-Type: text/html
    Content-Length: 653
    Expires: Mon, 16 Dec 2002 15:15:19 GMT

    Suspicion confirmed. My guess is that the probes you are getting are reply
    SYN-ACK packets from a webserver you are trying to visit. They have somehow
    misconfigured the load balancer and the replies are coming from the wrong IP
    address, so your firewall sees them as an entirely different connection and
    drops the packets.

    -Joe

    -- 
       Joe Stewart  <jstewart@lurhq.com>
      Senior Information Security Analyst 
    -----------------------------------------
     "24x7 Enterprise Security Monitoring"
    LURHQ Corporation  http://www.lurhq.com/
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    


    Relevant Pages

    • RE: Exhange 2003
      ... I work for an enterprise email security company and saw something rather ... no restriction on ports or types of traffic just on host... ... if you don't establish the TCP connection to ... >Nbtstat command is sending packets to udp 137 port of destination. ...
      (Pen-Test)
    • [UNIX] IRC Connection Tracking Helper Module (Patch Available)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The NetFilter subsystem in Linux kernels>= 2.4.14 contains a connection ... tracking helper module for the IRC DCC protocol. ... source ip, source port, destination IP, destination port) and mask ...
      (Securiteam)
    • RE: VPN & Security Question
      ... Just one port: TCP Port 3389 ... I don't believe in using VPN to connect home/SOHO users because it's very ... difficult to know the status of their end of the connection. ... > VPN was a critical piece of security best practices, ...
      (microsoft.public.windows.terminal_services)
    • Memory upgrade changing listening ports?
      ... My networking and security: 56k ppp dial up with an ISP. ... The upgrade was easy, I had no trouble booting, seeing the new memory ... This is a connection from the DNS server on my ISP to my machine at port ... I had no other programs listening at that port. ...
      (comp.os.linux.security)
    • comp.security.unix and comp.security.misc frequently asked questions
      ... Can I turn off identd? ... to learn about computer security? ... Niles and Jyrki Havia for tripwire bug details as posted to the newsgroup. ... connecting from port 20546 on your machine to port 25 on 205.238.143.33. ...
      (comp.security.misc)