Firewall Wizards mailing list archives

Port Scan from the source port 80?

From: "OF UR BIZ NONE" <maetcstuff () hotmail com>
Date: Mon, 10 Feb 2003 10:28:01 +0900

Hello,

I was wondering if port scan from port 80 is common.
I do not have much experience with firewall,
and do not know very much about analyzing logs.

Anyway, I was looking at my PIX log
and found this one IP sending packets to my company's PAT IP.
They are all coming to the higher ports,
coming from PORT 80 of this webserver,
apparently very popular local auction site.

My observations are :

1. The higher ports being scanned(?) seem to be random.

2. This scanning activity(?) has been going on and off for more than a yearaccording to the log.

3. The IP being scanned is PAT IP, which also represents our users.

My guess was :

1. Their webserver may be running some kind of special script
that generates traffics to our higher ports when KPMG users access the site.
2. Their webserver is being compromised by a hacker
and being exploited for 'island-hopping'

I have contacted the system administrator of the portal site,
and asked him the possibilities of the above.
But he claimed that my users are accessing their website
and that my firewall is denying the legitimate returning traffic.

But if that is the case, our helpdesk must have heard something from theusers.

He also strongly denied that his webserver may have been compromised,
and claimed that performing port scans from port 80 is impossible.

To my knowledge though, most of the scanners allows you to specify thesource port.

And if their webserver is compromised,
(and assuming they have firewall properly configured)

port 80 is probably one of the few, or even the only port that it can sendout packets for scanning.


Has anyone heard of port scanning from port 80 as the source port?
Does this look like a port scanning activity?
If so, what should I do?

I would appreciate any feedbacks.

Sean





_________________________________________________________________

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.http://join.msn.com/?page=features/virus


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Port Scan from the source port 80? OF UR BIZ NONE (Feb 10)
- Re: Port Scan from the source port 80? Paul D. Robertson (Feb 10)
- Re: Port Scan from the source port 80? ark (Feb 10)
- Re: Port Scan from the source port 80? Joe Dauncey (Feb 12)