Re: Logs: Many hits with source port of 80

From: Joe Stewart (jstewartat_private)
Date: Mon Dec 16 2002 - 07:27:32 PST

Next message: Damian Gerow: "Re: Rooted, .haos on system"

Previous message: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
Next in thread: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday 13 December 2002 05:05 am, Byrne Ghavalas wrote:
> Hi All,
>
> Has anyone else noticed a high number of hits in their security logs,
> where the source port is set to tcp 80 and the destination port is some
> high tcp port? I have noticed that these events seem to be getting more
> numerous than the NetBios scans ;-)
>
> For example:
> 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439

Hi,

Whenever I get a source-port-80-to-high-port scan I suspect network 
misconfiguration/lost state connection on the firewall. (Never attribute
to malice that which can be adequately explained by stupidity) An easy 
way to check is telnet to port 80 on the source host. In this case:

[test@test test]$ telnet 194.78.225.36 80
Trying 194.78.225.36...
Connected to 194.78.225.36 (194.78.225.36).
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 505 HTTP Version not supported
Date: Mon, 16 Dec 2002 15:03:11 GMT
Content-Length: 215
Content-Type: text/html
Server: Footprint Distributor V2.0
Connection: close

<HTML><HEAD>
<TITLE>505 HTTP Version Not Supported</TITLE>
<BODY><H1>HTTP Version Not Supported</H1>
The requested URL, "http://194.78.225.36:8808/", cannot be accessed using your 
current browser.<P>
</BODY></HTML>
Connection closed by foreign host.

Hmm. "Footprint Distributor V2.0". Sounds like a load balancer. Some Googling
turns up a product called "Footprint" from a company called Sandpiper that
does distributed content caching. Lets see if they actually use the product to 
serve their own website:

[test@test test]$ telnet www.sandpiper.net 80
Trying 63.208.96.131...
Connected to unknown.Level3.net (63.208.96.131).
Escape character is '^]'.
GET / HTTP/1.1
HTTP/1.0 408 Request Time-out
Server: Footprint 2.0/FPMCP
Mime-Version: 1.0
Date: Mon, 16 Dec 2002 15:15:19 GMT
Content-Type: text/html
Content-Length: 653
Expires: Mon, 16 Dec 2002 15:15:19 GMT

Suspicion confirmed. My guess is that the probes you are getting are reply
SYN-ACK packets from a webserver you are trying to visit. They have somehow
misconfigured the load balancer and the replies are coming from the wrong IP
address, so your firewall sees them as an entirely different connection and
drops the packets.

-Joe

-- 
   Joe Stewart  <jstewartat_private>
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  http://www.lurhq.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Damian Gerow: "Re: Rooted, .haos on system"
Previous message: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
Next in thread: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:07:48 PST