Re: Packet from port 80 with spoofed microsoft.com ip

["Hulio Cortez" <hotpackets () hellokitty com>]

> On Wed, 29 Jan 2003 21:46:53 +1100,
> Michael Rowe <mrowe () mojain com> wrote:
> > I received a packet on my cable modem today, allegedly from
> > microsoft.com:
> >
> > 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
> +S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
>
> I am seeing theese to, I have a friend an NIPC who says they
> part of the MS-SQL2 wworm relased on sunday. It's the prelimanry
> handshake for a ddos network but the packets are out of sync.
Hello there Alvin,
DO you know if these packets will affect other operating systems than Microsoft? Is this only if MSDN is installed?
If the DDOS network is being constructed in this fashion then there could be problems with lots of non patched other 
systems and also Microsoft. It is very subtle and hard to detect without closely monitoring your intrusion logs.
THank you for talking to your friend in NIPC as he must be very busy at this time!!! I am sure other readers appreciate 
this too.

Hulio Cortez
CCNA

> --
> Alvin Krowlekon. CISSP.MCP

-- 
____________________________________________________
Get your own Hello Kitty email @ www.sanriotown.com

Powered by Outblaze

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com