Firewall Wizards mailing list archives
Re: Port Scan from the source port 80?
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 10 Feb 2003 08:53:50 -0500 (EST)
On Mon, 10 Feb 2003, OF UR BIZ NONE wrote:
Hello, I was wondering if port scan from port 80 is common.
Not too common, but it happens.
I do not have much experience with firewall, and do not know very much about analyzing logs. Anyway, I was looking at my PIX log and found this one IP sending packets to my company's PAT IP. They are all coming to the higher ports, coming from PORT 80 of this webserver, apparently very popular local auction site. My observations are : 1. The higher ports being scanned(?) seem to be random. 2. This scanning activity(?) has been going on and off for more than a year according to the log. 3. The IP being scanned is PAT IP, which also represents our users. My guess was : 1. Their webserver may be running some kind of special script that generates traffics to our higher ports when KPMG users access the site. 2. Their webserver is being compromised by a hacker and being exploited for 'island-hopping'
Generally, compromises result in traffic from different ports, since generating traffic from a port in LISTEN mode requires either some sort of multiplexor in front of the Web server, or modification of the Web server code.
I have contacted the system administrator of the portal site, and asked him the possibilities of the above. But he claimed that my users are accessing their website and that my firewall is denying the legitimate returning traffic.
A few minutes with a sniffer should be able to validate that the traffic is in response to a legitimate request. If you're seriously concerned though, you may wish to either install an HTTP proxy, or just block access to the site as non-business related if your security policy allows it.
But if that is the case, our helpdesk must have heard something from the users. He also strongly denied that his webserver may have been compromised, and claimed that performing port scans from port 80 is impossible.
It's not impossible, but it's difficult to do on a running server without impacting the server. In any case, if you're on a Web server, there are enough IE bugs unpatched that compromise of an internal network is mostly trivial, why would you waste time scanning?
Has anyone heard of port scanning from port 80 as the source port?
Sometimes load balancers send probes like that in response to requests, or you could be seeing resent traffic that has fallen off the end of a state table. Your best bet is to set up a sniffer and see what the outbound requests look like and then match them to the return traffic. Alternately, just blackhole the site, or redirect DNS to an internal site that puts up a "not accessable to company users" message. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Port Scan from the source port 80? OF UR BIZ NONE (Feb 10)
- Re: Port Scan from the source port 80? Paul D. Robertson (Feb 10)
- Re: Port Scan from the source port 80? ark (Feb 10)
- Re: Port Scan from the source port 80? Joe Dauncey (Feb 12)