Been noticing in our firewall logs that three connections are being constantly established every 5 minutes from our web server and trying to send a packet to destination port 43 (whois port) cycling through all source ports (i.e. 59466, 59467, 59468, then 5 minutes later the next 3 ports) to 3 different ip addresses...:
193.0.6.135, 200.3.14.10, 196.216.2.130
Ripe, Lacnic, and Afrinic
I understand that all 3 companies are internet ip registrars, but how it's cycling through all of our source ports every 5 minutes sending packets seems odd. It looks like reverse port scanning to me. Is this normal?
EDIT:
TCPDUMP Output, this one was only 2 minutes apart. Noticed that there are patches where it'll run 20 times in a row within the same minute. The speed and frequency varies, but haven't seen a gap bigger than 5 minutes.
[user@xxxxxxx xxxxxxx]# tcpdump -v -s 5000 -i eth0 port 35921 or port 35920 or port 35919 or port 35916 or port 35917 or port 35918
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 5000 bytes
08:56:33.517976 IP (tos 0x0, ttl 64, id 8127, offset 0, flags [DF], proto 6, length: 60) 192.168.xxx.xxx.35916 > whois.ripe.net.nicname: S [tcp sum ok] 2154741398:2154741398(0) win 5840 <mss 1460,sackOK,timestamp 67215657 0,nop,wscale 9>
08:56:33.520288 IP (tos 0x0, ttl 64, id 59697, offset 0, flags [DF], proto 6, length: 60) 192.168.xxx.xxx.35917 > registro.lacnic.net.nicname: S [tcp sum ok] 2139834394:2139834394(0) win 5840 <mss 1460,sackOK,timestamp 67215659 0,nop,wscale 9>
08:56:33.522705 IP (tos 0x0, ttl 64, id 33392, offset 0, flags [DF], proto 6, length: 60) 192.168.xxx.xxx.35918 > whois.afrinic.net.nicname: S [tcp sum ok] 2140808030:2140808030(0) win 5840 <mss 1460,sackOK,timestamp 67215662 0,nop,wscale 9>
08:58:32.773110 IP (tos 0x0, ttl 64, id 28764, offset 0, flags [DF], proto 6, length: 60) 192.168.xxx.xxx.35919 > whois.ripe.net.nicname: S [tcp sum ok] 2259878735:2259878735(0) win 5840 <mss 1460,sackOK,timestamp 67334931 0,nop,wscale 9>
08:58:32.776580 IP (tos 0x0, ttl 64, id 44263, offset 0, flags [DF], proto 6, length: 60) 192.168.xxx.xxx.35920 > registro.lacnic.net.nicname: S [tcp sum ok] 2259083248:2259083248(0) win 5840 <mss 1460,sackOK,timestamp 67334935 0,nop,wscale 9>
08:58:32.778395 IP (tos 0x0, ttl 64, id 39072, offset 0, flags [DF], proto 6, length: 60) 192.168.xxx.xxx.35921 > whois.afrinic.net.nicname: S [tcp sum ok] 2267212728:2267212728(0) win 5840 <mss 1460,sackOK,timestamp 67334936 0,nop,wscale 9>
The traffic itself is probably legitimate, though the running every five minutes is probably not.
This looks like standard whois traffic; it's being sent on the whois port and it's being sent to official whois servers.
However, the fact that it's happening on exact five minute intervals suggests an automated process is running the queries. The registries aren't going to like this much, and they may cut you off if it gets excessive.
You may find it useful to capture the traffic contents and inspect them to see what whois records are actually being looked up. This may give you a clue to what might be originating the queries.
If the server is running Linux, you may be able to write a systemtap script to find the process originating the queries.
(The source ports are irrelevant; that's a choice of the operating system. Go read TCP/IP Illustrated or another good IP reference if you want more details on that non-issue.)
I found out on my server that the
/usr/local/cpanel/scripts/update_spamassassin_configscript accesses these whois servers for updating its configuration. Maybe this has to do withspamassassinin which case it is very probably legitimate.If this is running on a server with
spamassassinplease check its update interval.