Possible port scanning from source port 80

Good day all

I am seeing what looks like port scanning activity and would like some help in confirming if this is port scanning activity and what likely steps a potential intruder may take next.

Summary
Over the last few days there has been the following type of traffic
Source IP: 69.93.x.x
Destination IP: 62.189.x.x
Protocol: Tcp
Source Port: 80
Destination Port: ranges vary - eg 1139 - 38811 (typically over 1024, both in the registered range and the dynamic range)
Destination IP: scans the range of Public IP addresses our company has

Does this look like known recon/port scan activity or fingerprinting? If it does what could be possible actions by the scanner who uses the info gathered? For example if you felt that it was vulnerability scanning does the scan signature indicate they are preparing for a specific intrusion method?

Action I have already taken
Identified the whois record for the reported source address and sent an email to the abuse email address for that ISP asking them to investigate.

Googled for port scans with source port of 80 - but not found any specifics that indicate this as a known method of scanning or a known indication of an attack.

Can you help me get a better grasp on this? There is a second source IP address that has been conducting the same activity against us, although they are registered in a different country from the main scanner.

Also tips or help that you feel like sharing in terms of accepted terminology, standard ways of submitting information for this type of scenario etc?

Any and all help/time is appreciated.

Hmm. Sahir is the king of this subject and I'll be waiting with interest to read his pearls of wisdom.
In the meantime however it might be good to capture a packet trace of the activity. You can then look at the structure of the packets and see if there's anything funny going on or whether it is just a series of straight probes on port 80. Could be somebody trying to find out which of your hosts support web servers as these have widely known and mutiple vulnerabilites and so are a good place to attack. Specially the ones you're not actively 'using', where port 80 just happens to be open but isn't accessed. These are the ones that probably aren't patched...
Second reason for getting a packet trace is that if you do get hit then at least you have gathered some evidence for later. burn the whole trace, unfiltered, to CD
Finally if there are just two source addresses then block them. But keep watching the logs as they'll probably change address if they're serious

Hmm it sounds the wrong way around to me ! While it is possible that an attacker would set his source port to 80 for a scan, the destination ports that you're talking about don't really make sense.. normally an attacker will scan for ports *below* 1024.

Yknow it almost sounds to me like this is web traffic coming FROM your servers ! An application on your servers has taken a high source port and is connecting to port 80 on that IP you mentioned.... While the first thing that you might think of is that you don't have any users surfing the net from your public IPs, consider the following..

1. Are any of these public IP's natting for internal users who do surf ?
2. Many applications use port 80 for different things.. examples include Liveupdate style programs, P2P, streaming media etc...

I suggest you take Bishops advice.. run a full packet trace and save the logs for about a day.. then you can filter it for that IP..

While you're on the subject.. pop across to www.geektools.com and run a whois on that offending IP.. you might just find it belongs to Symantec or Akamai or Microsoft Windows update or similar services that might be used for liveupdating.

Also hop across to www.dshield.org and throw that offending IP in their database to find out if its a known attacker...

Keep me posted I can help you with the packet traces if you want.

Cheers,

Thanks sahirh and bishop

Will set up some packet capturing on Monday and will post some results/questions here. sahirh I will probably take you up on your offer of help with the packet decoding. Am going to try running snort and / or etheral.

sahirh I haven't forgotten about writing up the material following the workshop with McAfee I attended at their labs. Will post that early next week. May also have some info from a presentation I went to that talked about Microsoft and Cisco working together on Network Access Quarantine technology.

Looking forward to it mate !

Hope the problem gets sorted out as well.


Cheers,

Still making progress in this. I have built a fresh box (scavenged from about 4 P3 carcasses) and am using the knoppix-std distribution of Linux as the operating system – running direct form the bootable CD rather being installed to the hard drive.

My reason for choosing this Linux distribution is that snort comes preinstalled as does a lot of other security and networking apps.

I am now taking a crash course in Linux and snort (ala surfing the web and interrogating the Dev team) so it is likely to be several days at least before I can start usefully analysing the data collected by snort.

However I am also taking preventive measures for our network perimeter by tightening up the ACLs on the Internet Gateway Router and deploying a more comprehensive patch management process for our network.

When I have some useful material from snort and our firewall I will come back with the results and any questions in a new posting.

Happy holidays to all