Publié Thu, 06 Dec 2018 14:07:32 GMT par David Blake Ricoh USA Sr. Solution Integrator

The DocuWare server has been tripping security alerts for the past few weeks for portscanning the network:

 

TCP Scanning Activity

⋄ Total connections: 362

⋄ Total ports scanned: 260

⋄ Port range: 9 – 61001

⋄ Ports of interest: 21, 23, 80, 135, 139, 389, 445, 1433, 3128, 3389, 8080

 

Does anyone know if this is normal behavior for a DocuWare server (and if so, why)?

The system in question is version 6.10.

Publié Thu, 06 Dec 2018 14:20:08 GMT par Phil Robson Senior Director Support - Americas

David,
This is certainly not normal for DocuWare. If it was, then it would have been happening since day one. You indicate that it is the last few weeks.
It sounds very odd to me since the scanning is hitting well known ports.

 

Phil Robson
Senior Director Support Americas

 

Publié Thu, 06 Dec 2018 15:36:17 GMT par David Blake Ricoh USA Sr. Solution Integrator

Not normal?  They are known used ports by DocuWare.  So activity there is not normal?  I do not understand.

My best guess is the customer only recently noticed the activity.  The system has been in place for one year now, with ramping up usage.

Publié Thu, 06 Dec 2018 15:54:24 GMT par Phil Robson Senior Director Support - Americas

David,
You specifically said port scanning. I assumed that the customer was detecting a port scan attack.
Simply because the ports are in use on the server does not mean that DocuWare has them open. Perhaps a more detailed analysis is called for.
DocuWare does not use port 21 (FTP) - except for REQUEST transfer if defined, 23 (Telnet), 135 (RPC locator), 139 (Netbios), 389 (LDAP) - Unless running an LDAP user sync, 445 (Directory services), 3128 (Squid caching), 3389 (RDP).

80 (HTTP), 1433 (MSSQL) are directly accessed.
8080 only if defined as an IIS port for DocuWare.

 

 

Phil Robson
Senior Director Support Americas
 

Publié Thu, 06 Dec 2018 18:53:00 GMT par David Blake Ricoh USA Sr. Solution Integrator

Thanks Phil,

I do not know what to expect here or what exactly to inform the customer.  So I am simply relaying the customers' queries:

From the customers' IT manager:

"Guess main question is should the DW Server be actively scanning these ports?  Wasn't sure if that was the way it operates or if there is something it periodically tries to discover new devices?"

"Particularly, 3389 (MSRDP), 8080 (proxy), etc.  If it was scanning for a limited number of ports related to DW, that would be justified, but I see:

⋄ Total ports scanned: 260

⋄ Port range: 9 – 61001

That is WAY outside the justification for looking for other DW devices/applications.

Kindly provide some documentation on why this is required, and specifically, which ports are required to be discovered for proper operation.  Otherwise, this will be locked down to prevent further network scanning."

 

Any further documentation, thoughts or recommendations to what to do about this if abnormal?

Publié Thu, 06 Dec 2018 19:00:10 GMT par Phil Robson Senior Director Support - Americas

David,
The issue is that they are saying the DocuWare Server actively scanning the ports. DocuWare is an application. It is likely to be Windows scanning those ports, or some other app.
A simple netstat command will tell you what ports are open, and what PID is using them. For example, in my VM port 135 is open by Windows Service host - not DocuWare.
I would suggest that they run:

netstat -abno

and look at what PID is accessing the ports. You will find that it is not DocuWare but Windows - except for the DocuWare ports.

Phil Robson
Senior Director Support Americas

 

You must be signed in to post in this forum.