Security Incidents mailing list archives
RE: Packet from port 80 with spoofed microsoft.com ip
From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Wed, 29 Jan 2003 14:11:36 -0600
This looks like a normal reply to a TCP connection from your system to port 80 of this web site. The S to the right of the address/port should indicate the SYN flag is set, and the fact that the packet contains some ack data suggests it's acknowledging your connection request. Are you SURE nothing on your end would have attempted to initiate a connection to this site? When you say your Windows computers weren't "active", did you mean they were physically powered off, or just idle? Newer versions of Windows will "phone home" to check for software updates. David -----Original Message----- From: Michael Rowe [mailto:mrowe () mojain com] Sent: Wednesday, 29 January, 2003 04:47 To: incidents () securityfocus com Subject: Packet from port 80 with spoofed microsoft.com ip
18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Packet from port 80 with spoofed microsoft.com ip Michael Rowe (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Chris Wilkes (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Thiago Conde Figueiró (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Rich Puhek (Jan 30)
- Re: Packet from port 80 with spoofed microsoft.com ip H C (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Keith Owens (Jan 30)
- Message not available
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Russell Fulton (Jan 31)
- Message not available
- Message not available
- <Possible follow-ups>
- RE: Packet from port 80 with spoofed microsoft.com ip NESTING, DAVID M (SBCSI) (Jan 29)