On Friday 13 December 2002 05:05 am, Byrne Ghavalas wrote: > Hi All, > > Has anyone else noticed a high number of hits in their security logs, > where the source port is set to tcp 80 and the destination port is some > high tcp port? I have noticed that these events seem to be getting more > numerous than the NetBios scans ;-) > > For example: > 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439 Hi, Whenever I get a source-port-80-to-high-port scan I suspect network misconfiguration/lost state connection on the firewall. (Never attribute to malice that which can be adequately explained by stupidity) An easy way to check is telnet to port 80 on the source host. In this case: [test@test test]$ telnet 194.78.225.36 80 Trying 194.78.225.36... Connected to 194.78.225.36 (194.78.225.36). Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 505 HTTP Version not supported Date: Mon, 16 Dec 2002 15:03:11 GMT Content-Length: 215 Content-Type: text/html Server: Footprint Distributor V2.0 Connection: close <HTML><HEAD> <TITLE>505 HTTP Version Not Supported</TITLE> <BODY><H1>HTTP Version Not Supported</H1> The requested URL, "http://194.78.225.36:8808/", cannot be accessed using your current browser.<P> </BODY></HTML> Connection closed by foreign host. Hmm. "Footprint Distributor V2.0". Sounds like a load balancer. Some Googling turns up a product called "Footprint" from a company called Sandpiper that does distributed content caching. Lets see if they actually use the product to serve their own website: [test@test test]$ telnet www.sandpiper.net 80 Trying 63.208.96.131... Connected to unknown.Level3.net (63.208.96.131). Escape character is '^]'. GET / HTTP/1.1 HTTP/1.0 408 Request Time-out Server: Footprint 2.0/FPMCP Mime-Version: 1.0 Date: Mon, 16 Dec 2002 15:15:19 GMT Content-Type: text/html Content-Length: 653 Expires: Mon, 16 Dec 2002 15:15:19 GMT Suspicion confirmed. My guess is that the probes you are getting are reply SYN-ACK packets from a webserver you are trying to visit. They have somehow misconfigured the load balancer and the replies are coming from the wrong IP address, so your firewall sees them as an entirely different connection and drops the packets. -Joe -- Joe Stewart <jstewartat_private> Senior Information Security Analyst ----------------------------------------- "24x7 Enterprise Security Monitoring" LURHQ Corporation http://www.lurhq.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:07:48 PST