Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Packet from port 80 with spoofed microsoft.com ip

From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Wed, 29 Jan 2003 14:11:36 -0600
This looks like a normal reply to a TCP connection from your system to port
80 of this web site.  The S to the right of the address/port should indicate
the SYN flag is set, and the fact that the packet contains some ack data
suggests it's acknowledging your connection request.

Are you SURE nothing on your end would have attempted to initiate a
connection to this site?  When you say your Windows computers weren't
"active", did you mean they were physically powered off, or just idle?
Newer versions of Windows will "phone home" to check for software updates.

David

-----Original Message-----
From: Michael Rowe [mailto:mrowe () mojain com]
Sent: Wednesday, 29 January, 2003 04:47
To: incidents () securityfocus com
Subject: Packet from port 80 with spoofed microsoft.com ip


18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:

S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: