Hosting Provided By

RE: Packet from port 80 with spoofed microsoft.com ip

From: NESTING, DAVID M (SBCSI) <dn3723(at)sbc.com>
Date: Wed Jan 29 2003 - 15:11:36 EST

This looks like a normal reply to a TCP connection from your system to port 80 of this web site. The S to the right of the address/port should indicate the SYN flag is set, and the fact that the packet contains some ack data suggests it's acknowledging your connection request.

Are you SURE nothing on your end would have attempted to initiate a connection to this site? When you say your Windows computers weren't "active", did you mean they were physically powered off, or just idle? Newer versions of Windows will "phone home" to check for software updates.

David

-----Original Message-----
From: Michael Rowe [mailto:mrowe@mojain.com] Sent: Wednesday, 29 January, 2003 04:47
To: incidents@securityfocus.com
Subject: Packet from port 80 with spoofed microsoft.com ip

> 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Jan 29 18:43:07 2003

This message: [ Message body ]
Next message: Valdis.Kletnieks(at)vt.edu: "Re: Packet from port 80 with spoofed microsoft.com ip"
Previous message: H C: "Re: Packet from port 80 with spoofed microsoft.com ip"
Maybe in reply to: Michael Rowe: "Packet from port 80 with spoofed microsoft.com ip"
Next in thread: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
Reply: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT