Re: Port Scan from the source port 80?

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 10 Feb 2003, OF UR BIZ NONE wrote:

> Hello,
>
> I was wondering if port scan from port 80 is common.

Not too common, but it happens.

> I do not have much experience with firewall,
> and do not know very much about analyzing logs.
>
> Anyway, I was looking at my PIX log
> and found this one IP sending packets to my company's PAT IP.
> They are all coming to the higher ports,
> coming from PORT 80 of this webserver,
> apparently very popular local auction site.
>
> My observations are :
>
> 1. The higher ports being scanned(?) seem to be random.
> 2. This scanning activity(?) has been going on and off for more than a year 
> according to the log.
> 3. The IP being scanned is PAT IP, which also represents our users.
>
> My guess was :
>
> 1. Their webserver may be running some kind of special script
> that generates traffics to our higher ports when KPMG users access the site.
> 2. Their webserver is being compromised by a hacker
> and being exploited for 'island-hopping'

Generally, compromises result in traffic from different ports, since 
generating traffic from a port in LISTEN mode requires either some sort of 
multiplexor in front of the Web server, or modification of the Web server 
code.

> I have contacted the system administrator of the portal site,
> and asked him the possibilities of the above.
> But he claimed that my users are accessing their website
> and that my firewall is denying the legitimate returning traffic.

A few minutes with a sniffer should be able to validate that the traffic 
is in response to a legitimate request.  If you're seriously concerned 
though, you may wish to either install an HTTP proxy, or just block access 
to the site as non-business related if your security policy allows it.

> But if that is the case, our helpdesk must have heard something from the 
> users.
> He also strongly denied that his webserver may have been compromised,
> and claimed that performing port scans from port 80 is impossible.

It's not impossible, but it's difficult to do on a running server without 
impacting the server.  In any case, if you're on a Web server, there are 
enough IE bugs unpatched that compromise of an internal network is 
mostly trivial, why would you waste time scanning?

> Has anyone heard of port scanning from port 80 as the source port?

Sometimes load balancers send probes like that in response to requests, or 
you could be seeing resent traffic that has fallen off the end of a state 
table.

Your best bet is to set up a sniffer and see what the outbound requests 
look like and then match them to the return traffic.  Alternately, just 
blackhole the site, or redirect DNS to an internal site that puts up a 
"not accessable to company users" message.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards