Outbound Traffic on Reserved Ports?

Toggle sidebar Toggle sidebar
D

Dave

Distinguished
Jun 25, 2003
2,727
0
20,780
Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

Is it normal for Windows 2000 servers to INITIATE
connections on reserved ports? For example, my firewall
shows that my IIS web servers are initiating LOTS of
outbound connections from port 80. To my knowledge,
connections to port 80 should be only inbound.

I am also seeing this on other ports, like 25 and 53,
originating from mail and DNS servers, respectively.

Is this an indication that a trojan/worm is attempting to
'phone home' from an unsuspicious port?

Any advice is greatly appreciated.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It depends what kind of firewall you have.

If the TCP timeout window is set too low, then this is how the Web server
replies appear in your firewall records as new connections initiated from the
Web server out. On less worthy firewalls, this is a common occurrence.

Additionally, some firewalls that state that their stateful inspection
firewalls do not really handle state-based connections well and report these
connections erroneously as well.

Can you bump up the TCP timeout window on your firewall?

The only other thing I'd check out is if your Web server is indeed sending
out 80/TCP connections using netstat -an and/or using a program like fport
from Foundstone to determine what software is communicating outbound (THIS
COULD BE A VIRUS OR SPWARE/ADWARE CALLING HOME).
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm

"Dave" wrote:

> Hi all,
>
> Is it normal for Windows 2000 servers to INITIATE
> connections on reserved ports? For example, my firewall
> shows that my IIS web servers are initiating LOTS of
> outbound connections from port 80. To my knowledge,
> connections to port 80 should be only inbound.
>
> I am also seeing this on other ports, like 25 and 53,
> originating from mail and DNS servers, respectively.
>
> Is this an indication that a trojan/worm is attempting to
> 'phone home' from an unsuspicious port?
>
> Any advice is greatly appreciated.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Aha!!! That sounds reasonable, given the symptoms. I'm
using a Netscreen 5XT (and can't find a TCP timeout setting
right off, but will do some digging). I can only hope that
this is affecting just the logs and not the actual
connections, being that I AM blocking those outbound 80s,
just in case it's a trojan.

Thank you for the very valuable info!!!

>-----Original Message-----
>It depends what kind of firewall you have.
>
>If the TCP timeout window is set too low, then this is how
the Web server
>replies appear in your firewall records as new connections
initiated from the
>Web server out. On less worthy firewalls, this is a
common occurrence.
>
>Additionally, some firewalls that state that their
stateful inspection
>firewalls do not really handle state-based connections
well and report these
>connections erroneously as well.
>
>Can you bump up the TCP timeout window on your firewall?
>
>The only other thing I'd check out is if your Web server
is indeed sending
>out 80/TCP connections using netstat -an and/or using a
program like fport
>from Foundstone to determine what software is
communicating outbound (THIS
>COULD BE A VIRUS OR SPWARE/ADWARE CALLING HOME).
>http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
>
>"Dave" wrote:
>
>> Hi all,
>>
>> Is it normal for Windows 2000 servers to INITIATE
>> connections on reserved ports? For example, my firewall
>> shows that my IIS web servers are initiating LOTS of
>> outbound connections from port 80. To my knowledge,
>> connections to port 80 should be only inbound.
>>
>> I am also seeing this on other ports, like 25 and 53,
>> originating from mail and DNS servers, respectively.
>>
>> Is this an indication that a trojan/worm is attempting to
>> 'phone home' from an unsuspicious port?
>>
>> Any advice is greatly appreciated.
>>
>.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Most likely those are the Reponses to user connections. You might check your
IIS logs to see if this traffic corresponds with IP addresses of users that
have connected to your webserver. If the "outbound" connections are to
various unprivileged ports then it almost surely is response traffic. You
could also try netmon or Ethereal to see if those are syn packets which
would indicate traffic trying to establish a new connection to the
destination IP. --- Steve


"Dave" <anonymous@discussions.microsoft.com> wrote in message
news:016d01c512dd$0632ebc0$a601280a@phx.gbl...
> Hi all,
>
> Is it normal for Windows 2000 servers to INITIATE
> connections on reserved ports? For example, my firewall
> shows that my IIS web servers are initiating LOTS of
> outbound connections from port 80. To my knowledge,
> connections to port 80 should be only inbound.
>
> I am also seeing this on other ports, like 25 and 53,
> originating from mail and DNS servers, respectively.
>
> Is this an indication that a trojan/worm is attempting to
> 'phone home' from an unsuspicious port?
>
> Any advice is greatly appreciated.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I should clarify that only the first outbound packet would be a syn packet
if your server was trying to establish a connection with another
omputer. --- Steve

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OVq7hwxEFHA.464@TK2MSFTNGP15.phx.gbl...
> Most likely those are the Reponses to user connections. You might check
> your IIS logs to see if this traffic corresponds with IP addresses of
> users that have connected to your webserver. If the "outbound"
> connections are to various unprivileged ports then it almost surely is
> response traffic. You could also try netmon or Ethereal to see if those
> are syn packets which would indicate traffic trying to establish a new
> connection to the destination IP. --- Steve
>
>
> "Dave" <anonymous@discussions.microsoft.com> wrote in message
> news:016d01c512dd$0632ebc0$a601280a@phx.gbl...
>> Hi all,
>>
>> Is it normal for Windows 2000 servers to INITIATE
>> connections on reserved ports? For example, my firewall
>> shows that my IIS web servers are initiating LOTS of
>> outbound connections from port 80. To my knowledge,
>> connections to port 80 should be only inbound.
>>
>> I am also seeing this on other ports, like 25 and 53,
>> originating from mail and DNS servers, respectively.
>>
>> Is this an indication that a trojan/worm is attempting to
>> 'phone home' from an unsuspicious port?
>>
>> Any advice is greatly appreciated.
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom