Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet from port 80 with spoofed microsoft.com ip

From: Chris Wilkes <cwilkes () ladro com>
Date: Wed, 29 Jan 2003 09:06:13 -0800
On Wed, Jan 29, 2003 at 09:46:53PM +1100, Michael Rowe wrote:


I received a packet on my cable modem today, allegedly from
microsoft.com: 

18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>


Do you have any MS computers at home set to automatically check
microsoft's site for updates?

I thought I had it turned off but poking around the GUI I found under
Control Panel - Servers "Automatic Update" set to Automatic.  What's odd is
that it isn't in my tray and I thought I disabled it.


No one was home at this time, and no computer running windows was
active, so I'm pretty sure this was not legit traffic (unless it was a
*very* delayed ack from a microsoft server, like > 6 hours. I guess
this is conceivable, given their current, er, issues :).


By "active" do you mean "turned off"?

Chris

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: