[PLUG] Weird "PortScans"

gilmanhunt at attbi.com gilmanhunt at attbi.com
Thu Mar 13 14:26:02 UTC 2003


Ok, I can't hold my peace any longer.
The webserver I administer is showing some strange behavior.
I installed SNORT on the firewall to help protect it's poor little IIS/Windows
2000 self, and one of the first things I noticed was that SNORT reported many
portscans -outbound- from "port 80" of our computer, all over the map for other
computers. 
So I firewalled off port 80 outbound (here's the iptables rule, to doublecheck
my work)

INTADDR=the internal (192.168...) IP address of the firewall (the default route
of the webserver)
WEBSERVER=the internal (192.168...) IP address of the webserver

/sbin/iptables -t nat -A PREROUTING -i $INTADDR -p tcp -s $WEBSERVER --sport 80
-j DROP

Patches appear to be up to date on the Win2K server, but... evidence is to the
contrary.  I installed Symantec's AntiVirus package; it's running, checking- it
finds nothing, even after a reboot when I expect it to find something on the MBR
and in the registry.

The only open ports on our webserver now are 20,21,80,443 and the PcAnywhere
port; they're NAT'd thru the firewall, while the ssh port goes to the firewall.

Today, we logged in to do some other work, and we happened to open up
netwatcher- and there are many many connections between our port 80 and one
dialup computer, on many many sequential ports on the dialup computer.  IE it
looks like either our server is continuing to scan other computers or that
dialup computer is doing something weird from many many ports all to port 80
(not completely unreasonable) -- that snort is reporting as a portscan from our
server.

If that doesn't make sense, it's because it doesn't make sense to me. 
Can anyone shed some light on this?




More information about the PLUG mailing list