Sorry Bernhard, you are being probed. The attacking system may have a
web server up and running and it using the port 80 source port for it
scans in an attempt to confuse the network admins looking at the logs.
Nmap ( http://www.insecure.org/nmap ) is the most likely candidate for
the portscanning tool being used, other commonly used source prots
include 53 and 20. What operating system are these web server's
running? Telnet to port 80 and try 'HEAD / ', if its a unix system then
you should send an email the the administrator of the machine letting
them know that thier address was probing you. It could be that somone
had broken into the server and is using it as a scanning point. Best of
luck ;)
-HD Moore
http://nlog.ings.com
http://www.phunc.com
Bernhard Petri wrote:
>
> Hello and Good Day,
> I sometimes see strange log entries in our firewall log. They always
> come from a webserver and use source port HTTP. Because they use a range
> of destination ports (services) it looks like a port scan. But I don't
> think it's an attack, because when I connect to one of the sources with
> a webbrowser I just get (part of) a webpage. So it seems to be a certain
> behaviour of the HTTP protocol, interpreted from the firewall as a
> connection from the outside. Who can explain this ?
> Kind regards
> Bernd
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
