Security Incidents mailing list archives

Re: Packet from port 80 with spoofed microsoft.com ip

From: Pat Wilson <paw () noh ucsd edu>
Date: Fri, 31 Jan 2003 13:42:01 -0800


Hmm.  One of the writeups on Netspree says that it connects to an
IRC channel on "master.leet-gamer.net" which now reverses to
127.0.0.1.  Anyone know what its address was before someone was 
"helpful"?  Apparently the address is hardcoded in the worm
someplace, but I don't have a copy to play with (yet).

Thanks.


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw () ucsd edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

"Larsen, Colin" <colin.larsen () nz unisys com> writes:

 Looks like the Netspree worm. We had it infect 3 or 4 PCs yesterday. It
 floods the network with broadcast packets on port 80 with spoofed source
 IPs.

 Cheers - Colin.
 -----Original Message-----
 From: Michael Rowe [mailto:mrowe () mojain com]
 Sent: Friday, 31 January 2003 12:22 a.m.
 To: incidents () securityfocus com
 Subject: Re: Packet from port 80 with spoofed microsoft.com ip

 On 03/01/29 14:11 -0600, NESTING, DAVID M (SBCSI) wrote:
 > Are you SURE nothing on your end would have attempted to initiate a
 > connection to this site?  When you say your Windows computers weren't
 > "active", did you mean they were physically powered off, or just idle?

 Yeah, turned off.

 On balance, it seems like the mostly likely explaination is my IP
 being used in a spoofed SYN attack. A distant second: the MS web
 server sending a wildly delayed ack to a legitimate connection.

 Thanks for the responses!

 -- 
 Michael Rowe <mrowe () mojain com>

 IM  - mrowe () jabber org                Prof - ACM, IEEE, Computer Soc.
 Web - http://www.mojain.com/          Vice - Barley malt, brewed or
 Key - http://mojain.com/keys/mrowe.asc       distilled (hold the ice)

 ----------------------------------------------------------------------------
 This list is provided by the SecurityFocus ARIS analyzer service.
 For more information on this free incident handling, management 
 and tracking system please see: http://aris.securityfocus.com

 ----------------------------------------------------------------------------
 This list is provided by the SecurityFocus ARIS analyzer service.
 For more information on this free incident handling, management 
 and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Packet from port 80 with spoofed microsoft.com ip Pat Wilson (Feb 02)
- <Possible follow-ups>
- Re: Packet from port 80 with spoofed microsoft.com ip Hulio Cortez (Feb 02)
- Re: Packet from port 80 with spoofed microsoft.com ip zmajd fully (Feb 04)