Firewall Wizards mailing list archives

Re: Port Scan from the source port 80?


From: ark () eltex ru
Date: Mon, 10 Feb 2003 16:44:57 +0300

Is it SYN scan, or what? Could you please be more specific what have you
seen in the log?

On Mon, Feb 10, 2003 at 10:28:01AM +0900, OF UR BIZ NONE wrote:
Hello,

I was wondering if port scan from port 80 is common.
I do not have much experience with firewall,
and do not know very much about analyzing logs.

Anyway, I was looking at my PIX log
and found this one IP sending packets to my company's PAT IP.
They are all coming to the higher ports,
coming from PORT 80 of this webserver,
apparently very popular local auction site.

My observations are :

1. The higher ports being scanned(?) seem to be random.
2. This scanning activity(?) has been going on and off for more than a year 
according to the log.
3. The IP being scanned is PAT IP, which also represents our users.

My guess was :

1. Their webserver may be running some kind of special script
that generates traffics to our higher ports when KPMG users access the site.
2. Their webserver is being compromised by a hacker
and being exploited for 'island-hopping'

I have contacted the system administrator of the portal site,
and asked him the possibilities of the above.
But he claimed that my users are accessing their website
and that my firewall is denying the legitimate returning traffic.
But if that is the case, our helpdesk must have heard something from the 
users.
He also strongly denied that his webserver may have been compromised,
and claimed that performing port scans from port 80 is impossible.

To my knowledge though, most of the scanners allows you to specify the 
source port.
And if their webserver is compromised,
(and assuming they have firewall properly configured)
port 80 is probably one of the few, or even the only port that it can send 
out packets for scanning.

Has anyone heard of port scanning from port 80 as the source port?
Does this look like a port scanning activity?
If so, what should I do?

I would appreciate any feedbacks.

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Current thread: