Hello,

Since latest upgrade to Zimbra 7.2.1 NE a few weeks ago (on an up-to-date SLES 11 setup), I got some complaints from a customer : according to his firewalls, the Zimbra server is doing a portscan every few minutes. Here how the log looks like:

Code:
firewall log:

11/14/2012 11:53:16.480 - Alert - Intrusion Prevention - 	Probable port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 55906, X1 - 	TCP scanned port list, 48650, 40144, 5202, 37179, 16333, 5274, 3609, 34275, 58524, 55906
11/14/2012 11:57:33.064 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 21232, X1 - 	TCP scanned port list, 17005, 16336, 12098, 9669, 28908
11/14/2012 12:03:18.464 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 57329, X1 - 	TCP scanned port list, 55750, 24895, 37330, 29572, 31862
11/14/2012 12:08:07.688 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 8150, X1 - 	TCP scanned port list, 51402, 4663, 4684, 15533, 28942
11/14/2012 12:11:47.672 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 8747, X1 - 	TCP scanned port list, 61681, 26103, 21170, 47695, 48238
11/14/2012 12:13:57.480 - Alert - Intrusion Prevention - 	Probable port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 40388, X1 - 	TCP scanned port list, 61681, 26103, 21170, 47695, 48238, 8747, 38483, 51928, 20877, 40388
11/14/2012 12:17:02.752 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 48297, X1 - 	TCP scanned port list, 59216, 27193, 30854, 28642, 24934
11/14/2012 12:19:10.320 - Alert - Intrusion Prevention - 	Probable port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 41190, X1 - 	TCP scanned port list, 59216, 27193, 30854, 28642, 24934, 48297, 55944, 36076, 35135, 41190
11/14/2012 12:23:17.064 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 35341, X1 - 	TCP scanned port list, 25381, 5234, 62321, 39838, 61117
11/14/2012 12:25:20.496 - Alert - Intrusion Prevention - 	Probable port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 28696, X1 - 	TCP scanned port list, 25381, 5234, 62321, 39838, 61117, 35341, 45065, 63264, 18813, 28696
11/14/2012 12:29:17.544 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 45782, X1 - 	TCP scanned port list, 61076, 42209, 20011, 61031, 6807
11/14/2012 12:47:47.432 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 29980, X1 - 	TCP scanned port list, 5689, 5458, 40864, 63736, 7362
11/14/2012 12:51:14.304 - Alert - Intrusion Prevention - 	Possible port scan detected - 	zimbra.server, 443, X1, zimbra.server - 	client.gw, 3819, X1 - 	TCP scanned port list, 27927, 65258, 21439, 14055, 10457


tcpdump right on the zimbra server:

14:58:21.013869 IP client.gw.49195 > zimbra.server.80: . ack 1332 win 16258
14:58:21.014130 IP client.gw.49195 > zimbra.server.80: F 3319:3319(0) ack 1332 win 16258
14:58:21.014142 IP zimbra.server.80 > client.gw.49195: . ack 3320 win 171
14:58:34.537601 IP zimbra.server.443 > client.gw.18767: P 1253:1290(37) ack 2716 win 164
14:58:34.537632 IP zimbra.server.443 > client.gw.18767: F 1290:1290(0) ack 2716 win 164
14:58:34.561692 IP client.gw.18767 > zimbra.server.443: . ack 1291 win 16268
14:58:34.561748 IP client.gw.18767 > zimbra.server.443: P 2716:2753(37) ack 1291 win 16268
14:58:34.561760 IP zimbra.server.443 > client.gw.18767: R 1325996033:1325996033(0) win 0
14:58:34.561764 IP client.gw.18767 > zimbra.server.443: F 2753:2753(0) ack 1291 win 16268
14:58:34.561770 IP zimbra.server.443 > client.gw.18767: R 1325996033:1325996033(0) win 0
14:58:51.968417 IP client.gw.57630 > zimbra.server.80: R 2160:2160(0) ack 882 win 0
14:58:51.968703 IP client.gw.34799 > zimbra.server.80: S 362964298:362964298(0) win 8192 <mss 1412,nop,wscale 2,nop,nop,sackOK>
14:58:51.968723 IP zimbra.server.80 > client.gw.34799: S 3322679271:3322679271(0) ack 362964299 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
14:58:51.978926 IP client.gw.54695 > zimbra.server.80: S 1692544793:1692544793(0) win 8192 <mss 1412,nop,wscale 2,nop,nop,sackOK>
14:58:51.978939 IP zimbra.server.80 > client.gw.54695: S 3327651772:3327651772(0) ack 1692544794 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
14:58:51.992440 IP client.gw.34799 > zimbra.server.80: . ack 1 win 16591
14:58:51.993757 IP client.gw.34799 > zimbra.server.80: P 1:497(496) ack 1 win 16591
14:58:51.993772 IP zimbra.server.80 > client.gw.34799: . ack 497 win 123
14:58:51.994272 IP client.gw.34799 > zimbra.server.80: P 497:1107(610) ack 1 win 16591
14:58:51.994283 IP zimbra.server.80 > client.gw.34799: . ack 1107 win 132
14:58:51.996961 IP zimbra.server.80 > client.gw.34799: P 1:415(414) ack 1107 win 132
14:58:52.003759 IP client.gw.54695 > zimbra.server.80: . ack 1 win 16591
14:58:52.004876 IP client.gw.54695 > zimbra.server.80: P 1:500(499) ack 1 win 16591
14:58:52.004890 IP zimbra.server.80 > client.gw.54695: . ack 500 win 123

I would presume it is "normal" HTTP/HTTPS behaviour ("scans" are coming right after requests on port 80 or 443, so aren't these just the answers from webserver ?), but customer tells it was not the case before, and there were no other change anywhere. I also checked the Zimbra server for leaks or special processes and found nothing suspect yet.

Maybe you got something similar on your servers ?

Regards,
Oliiver