I have a hosting client who is reporting back to me that he is seeing port scan attempts from the IP of the server I host his companies' website on. I'm unaware of what program he is using, but apparently the company's primary IP is being port scanned over port 443 (SSL).
The log snippets he sent over match up with the SSL access log of the site, so is this a fault monitoring program, or is my server pinging their IP back during SSL access?
Port 443 is actually the HTTPS port. It is common for hosts to allow SSH access to port 443 because most company web proxies will allow a transparent connection to be made to this port, and this port only.
What you are seeing is somebody attempting to gain SSH to the box, either through the normal port (22) or through a commonly-used alternative (443).
A) run a check on your system with ClamAV to see if anything out of the ordinary is detected.
B) Run rootkit checkers to see if they find anything out of the ordinary.
C) Run a packet sniffer (tcpdump, wireshark) on your server in question to see if there's unusual traffic running through it.
D) check /tmp, /var/log, etc. to see if there are any unusual temp files or logfiles deposited there.
E) happen to have any programs like tripwire installed to look for unusual changes to system files?
F) Check with other admins to see if they've been doing something with that server that could trigger a check on the remote system.
What exactly does the log SAY is happening? Requesting a particular file? Just pinging it? Are they running a listening process on 443 that logs what is happening, or do they have a legit process handing requests on that port? You can narrow down a little bit (or eliminate other possibilities) by looking at what is in the request. Also, is your server's IP showing up somewhere else in their logs, like requesting non-SSL web pages or something like that?
Is your system scanning other machines in your network? Is the IP showing up for unusual activity in other server's logs?
You can also set up something like Snort or Honeyd within your network for continued monitoring to see if something's going on. My advice on the clam and rootkit checkers are only half-solutions since if your system IS compromised, only an offline check may actually find malware if the system binaries have been compromised (unless you have another server of the same configuration against which you can run md5 checksums on certain binaries to see if they've been tampered with).
you can run a full port scan using nmap (http://nmap.org/). It has a GUI called Zenmap GUI (http://nmap.org/zenmap/).
It's one of the best security scanners out there.
I would bet that the attempts are coming from a web browser.
He is misinterpreting what he is seeing in his firewall logs.
Here's what is happening:
Because his firewall somehow stopped tracking the connection this last packet from you is seen as a new connection, which it isn't.
This is happening a lot to him, possibly hundreds or thousands of times a day/hour/minute. He or his IDS is incorrectly detecting this as a port scan, all with the source port 443.