Port scan attack by FastMail.fm

[mail2me]

My McAfee firewall intercepted a port scan attack while I was logged into my FastMail account via the web interface. McAfee's Visual Trace tool traced the port scan attack location as fastmail.fm. Now I can't access the site obviously because McAfee has blocked all traffic from FastMail sites for the next hour. Any idea how or why this happened? I was using the Notepad in my FastMail account.

[bitequator]

Hmm, do you have a Guest acct by any chance? JH promises never to hack paid members, but if you're a Guest, well, all bets are off (he calls it his personal upgrade incentive).

It's already explained in one of the taglines -- "FastMail: Pay us, or we'll hack you."


(Sorry, I know that wasn't of any help whatsoever...)

[FMRocks]

Now to be practical, does McAfee has anything it can mistake for a "port scan attack?" My guess is that to give you access to your email, the connection has to come through a certain port. But so does every other Internet connection. Can you look up some McAfee help files and see if they provide any information on limitations of their software or false positives of any kind?

If no solution surfaces, I assume that McAfee has a log of the port scan. You may wish to forward that to both McAfee and Fastmail to see what went on and if the error was on FM's part or McAfee's.

[mail2me]

Quote:

Originally posted by bitequator
Hmm, do you have a Guest acct by any chance? JH promises never to hack paid members, but if you're a Guest, well, all bets are off (he calls it his personal upgrade incentive).

It's already explained in one of the tag-lines -- "FastMail: Pay us, or we'll hack you."


(Sorry, I know that wasn't of any help whatsoever...)

No I don't have a Guest account.

I'm sure this was as a result of some bug from either FastMail or McAfee software. I doubt that FastMail will really do such things.

Are you sure that there is such a tag-line or are you just joking?

Such a tag-line would definitely put me off. I remember how someone I know purchased a firewall software from the bonzi company famous for its adware and spyware because its software was generating a pop up claiming that his PC was unprotected whenever he went online. I would personally never purchase anything from people who resort to that type of thing. Pay us, or we'll hack you is the same thing.

[eggman]

From what I can see the guys at fastmail are honest and have great integrity.

I can't imagine they would be doing a port-scan or would attempt to hack you!!!

bitequator, I think you were joking but that is almost slanderous....

[mail2me]

McAfee does have a log file alright. The IP address related to this port scan attack was 66.111.4.62.

I'm using the Firewall that comes with McAfee VirusScan Professional 7. I saved the log file and opened it with Word even though it was a text file for better search capabilities and was was amazed to see that it had more than 3650 pages. Most of them are logs of blocking incoming or outgoing traffic. Port scan attacks are rare. I will search through that log file and get back with more info.

[Onno]

bitequator was most certainly joking.

We have no reason to portscan anyone so I wouldn't think we did. It's more likely that your firewall misinterpreted some traffic to be a portscan of some sort. If you can find out what it thought was going on it would be good so we can have a look and see whether we can do anything on our side to make it less confused.

[mail2me]

The log file of 3650 pages was only for four days because I cleared the logs four days ago. I can just imagine how big it would have been if I hadn't done that.

Here is an extract from the log file related to the fastmail.fm port scan attack. I can't post everything here but most of the logs are similar:

Quote:

08/06/03 10:35:10 PM Blocked incoming TCP
McAfee Firewall blocked an incoming TCP packet. The remote address associated with the traffic was 66.111.4.62. The remote port was 443 [HTTPS]. The local port on your PC was 1779 [ephemeral]. The network adapter for the traffic was "D-Link DFE-690TXD CardBus PC Card".

The binary data contained in the packet was "00 40 05 7f 9f 38 00 06 25 09 f9 72 08 00 45 00 00 30 6e 62 00 00 33 06 10 ad 42 6f 04 3e c0 a8 01 64 01 bb 06 f3 38 66 ca 15 06 7c 52 6b 70 12 16 d0 ff 74 00 00 02 04 05 b4 01 01 04 02 ".

08/06/03 10:35:10 PM Blocked a Port Scan attack!
McAfee Firewall blocked an attempt to attack your machine using a "Port Scan" attack. The remote address associated with the traffic was 66.111.4.62. The remote port was 443 [HTTPS]. The local port on your PC was 1780 [ephemeral]. The network adapter for the traffic was "D-Link DFE-690TXD CardBus PC Card".

The binary data contained in the packet was "00 40 05 7f 9f 38 00 06 25 09 f9 72 08 00 45 00 00 30 6e 63 00 00 33 06 10 ac 42 6f 04 3e c0 a8 01 64 01 bb 06 f4 38 4e 1a 63 06 84 76 5e 70 12 16 d0 8b 43 00 00 02 04 05 b4 01 01 04 02 ".

08/06/03 10:35:10 PM Blocked incoming TCP
McAfee Firewall blocked an incoming TCP packet. The remote address associated with the traffic was 66.111.4.62. The remote port was 443 [HTTPS]. The local port on your PC was 1780 [ephemeral]. The network adapter for the traffic was "D-Link DFE-690TXD CardBus PC Card".

The binary data contained in the packet was "00 40 05 7f 9f 38 00 06 25 09 f9 72 08 00 45 00 00 30 6e 63 00 00 33 06 10 ac 42 6f 04 3e c0 a8 01 64 01 bb 06 f4 38 4e 1a 63 06 84 76 5e 70 12 16 d0 8b 43 00 00 02 04 05 b4 01 01 04 02 ".

08/06/03 10:35:10 PM Blocked traffic from 66.111.4.62
McAfee Firewall automatically blocked incoming traffic from IP address 66.111.4.62. You have configured McAfee Firewall to always block traffic to or from this address. The IP protocol type was 6 [TCP]. The remote address associated with the traffic was 66.111.4.62. The network adapter for the traffic was "D-Link DFE-690TXD CardBus PC Card".

The binary data contained in the packet was "00 40 05 7f 9f 38 00 06 25 09 f9 72 08 00 45 00 00 30 6e 64 00 00 33 06 10 ab 42 6f 04 3e c0 a8 01 64 01 bb 06 f4 38 4e 1a 63 06 84 76 5e 70 12 16 d0 8b 43 00 00 02 04 05 b4 01 01 04 02 ".

McAfee started automatically blocking traffic from that IP address after the port scan attack. I did not configure it to always block traffic from that address as mentioned in the latter logs after the port scan attack.

[robmueller]

It's a McAfee problem is my analysis.

Quick summary of how ports/sockets work. Basically, you connect to a machine (identified by ip number eg 66.111.4.62) and you connect to a particular port number. However this process is symmetrical, before you can connect to an external port on an external machine, you have to connect to a local port on the local machine.

Now port numbers are usually broken into 2 main ranges. Low numbered ports listen for incoming connections. However, when you want to make an outgoing connection, you bind to a high numbered port.

Certain low numbered ports are reserved for certain services. Eg. 80 is for http, 22 for ssh, 443 for https.

So what happens when you make a web connection to https://fastmail.fm? it does something like:

1. Your computer binds to a free high port number (eg 1779)
2. It then binds the other end to 443 on fastmail.fm
3. It sends the web request across
4. fastmail sends the response back

But if you look at the firewall output, it incorrectly blocked the response data!

Quote:

McAfee Firewall blocked an incoming TCP packet. The remote address associated with the traffic was 66.111.4.62. The remote port was 443 [HTTPS]. The local port on your PC was 1779 [ephemeral].

Duh, stupid software. Either it's a bug, or the only other thing I can think of is that it thought the connection had already been torn down when the data was received. No idea why this would happen though... unless it was retransmitted data stuck in the network somewhere even after the final TCP tear down command had been received... seems pretty dang unlikely though, especially multiple times on multiple connections?

Given Onno is a network engineer, he might have more thoughts

Rob

PS. The bitquator comments were just a joke. There's no such tagline and definitely no such policy!

[mail2me]

There were a lot of updates for the McAfee Firewall program recently. It must be a bug in one of their recent updates because I have had McAfee running on my PC for quite some time and this hadn't happened to me before. So the chances are that they will correct it at their end as soon as they become aware of it because it maybe happening to some other sites as well.

I knew it had to be some sort of a mistake when I saw McAfee's Visual Trace tool identifying the port scan attacker as fastmail.fm but it might scare off some new potential customers that are not familiar with the fastmail.fm company.

[mail2me]

I can't recreate the same problem again. I went to the fastmail site by selecting http://www.rushpost.com from my IE favorites and was selecting an entry in my Notepad when it happened earlier. The same steps doesn't trigger the firewall now.

[Onno]

Quote:

Originally posted by robmueller
unless it was retransmitted data stuck in the network somewhere even after the final TCP tear down command had been received... seems pretty dang unlikely though, especially multiple times on multiple connections?

Given Onno is a network engineer, he might have more thoughts

You're spot on, mate. The only issue that could occur here if we are to believe the logs is either some very strange and extremely buggy TCP stack behaviour or a very strange (and likely at least a little buggy) piece of software. My vote is for the second.

[bitequator]

D'oh I'm really sorry to have caused confusion Yes I was definitely just kidding around (I love FM)... My funny bone strikes me at the most inappropriate times and places...

[eggman]

bitequator, I thought you were!!!

[mail2me]

bitequator, I thought so too but for a moment I wasn't sure because I don't know what type of tag-lines FM has since I don't have any guest accounts. Sometime ago there was a banner ad on this forum claiming that FM hates banner ads. It was kind of hypocrisy. If FM hates banner ads then then FM should also refrain from banner ads. So I just won't sure whether FM really had such a tag-line. Actually there is nothing wrong with banner ads. The real annoyance is only with popup ads. Claiming to hate popup ads would have been more appropriate. Banner ads and text ads do support the availability of free services to a lot of people who would otherwise be unable to enjoy such services.