Outbound Traffic on Reserved Ports?

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

Hi all,

Is it normal for Windows 2000 servers to INITIATE
connections on reserved ports? For example, my firewall
shows that my IIS web servers are initiating LOTS of
outbound connections from port 80. To my knowledge,
connections to port 80 should be only inbound.

I am also seeing this on other ports, like 25 and 53,
originating from mail and DNS servers, respectively.

Is this an indication that a trojan/worm is attempting to
'phone home' from an unsuspicious port?

Any advice is greatly appreciated.
 
It depends what kind of firewall you have.

If the TCP timeout window is set too low, then this is how the Web server
replies appear in your firewall records as new connections initiated from the
Web server out. On less worthy firewalls, this is a common occurrence.

Additionally, some firewalls that state that their stateful inspection
firewalls do not really handle state-based connections well and report these
connections erroneously as well.

Can you bump up the TCP timeout window on your firewall?

The only other thing I'd check out is if your Web server is indeed sending
out 80/TCP connections using netstat -an and/or using a program like fport
from Foundstone to determine what software is communicating outbound (THIS
COULD BE A VIRUS OR SPWARE/ADWARE CALLING HOME).
http://www.foundstone.com/index.htm....htm&subcontent=/resources/proddesc/fport.htm
 
Aha!!! That sounds reasonable, given the symptoms. I'm
using a Netscreen 5XT (and can't find a TCP timeout setting
right off, but will do some digging). I can only hope that
this is affecting just the logs and not the actual
connections, being that I AM blocking those outbound 80s,
just in case it's a trojan.

Thank you for the very valuable info!!!
 
Most likely those are the Reponses to user connections. You might check your
IIS logs to see if this traffic corresponds with IP addresses of users that
have connected to your webserver. If the "outbound" connections are to
various unprivileged ports then it almost surely is response traffic. You
could also try netmon or Ethereal to see if those are syn packets which
would indicate traffic trying to establish a new connection to the
destination IP. --- Steve
 
I should clarify that only the first outbound packet would be a syn packet
if your server was trying to establish a connection with another
omputer. --- Steve
 
Back
Top