On Friday 13 December 2002 05:05 am, Byrne Ghavalas wrote:
> Hi All,

Hi,

Whenever I get a source-port-80-to-high-port scan I suspect network misconfiguration/lost state connection on the firewall. (Never attribute to malice that which can be adequately explained by stupidity) An easy way to check is telnet to port 80 on the source host. In this case:

[test@test test]$ telnet 194.78.225.36 80 Trying 194.78.225.36...
Connected to 194.78.225.36 (194.78.225.36). Escape character is '^]'.
GET / HTTP/1.0 HTTP/1.1 505 HTTP Version not supported
Date: Mon, 16 Dec 2002 15:03:11 GMT
Content-Length: 215
Content-Type: text/html
Server: Footprint Distributor V2.0
Connection: close

HTTP Version Not Supported

Hmm. "Footprint Distributor V2.0". Sounds like a load balancer. Some Googling turns up a product called "Footprint" from a company called Sandpiper that does distributed content caching. Lets see if they actually use the product to serve their own website:

[test@test test]$ telnet www.sandpiper.net 80 Trying 63.208.96.131...
Connected to unknown.Level3.net (63.208.96.131). Escape character is '^]'.
GET / HTTP/1.1
HTTP/1.0 408 Request Time-out
Server: Footprint 2.0/FPMCP
Mime-Version: 1.0
Date: Mon, 16 Dec 2002 15:15:19 GMT
Content-Type: text/html
Content-Length: 653
Expires: Mon, 16 Dec 2002 15:15:19 GMT

Suspicion confirmed. My guess is that the probes you are getting are reply SYN-ACK packets from a webserver you are trying to visit. They have somehow misconfigured the load balancer and the replies are coming from the wrong IP address, so your firewall sees them as an entirely different connection and drops the packets.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-Joe

-- 
   Joe Stewart  
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  
http://www.lurhq.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com