RE: Packet from port 80 with spoofed microsoft.com ip

Looks like the Netspree worm. We had it infect 3 or 4 PCs yesterday. It floods the network with broadcast packets on port 80 with spoofed source IPs.

Cheers - Colin.
-----Original Message-----
From: Michael Rowe [mailto:mrowe@mojain.com] Sent: Friday, 31 January 2003 12:22 a.m. To: incidents@securityfocus.com
Subject: Re: Packet from port 80 with spoofed microsoft.com ip

On 03/01/29 14:11 -0600, NESTING, DAVID M (SBCSI) wrote:
> Are you SURE nothing on your end would have attempted to initiate a

Yeah, turned off.

On balance, it seems like the mostly likely explaination is my IP being used in a spoofed SYN attack. A distant second: the MS web server sending a wildly delayed ack to a legitimate connection.

Thanks for the responses!

-- 
Michael Rowe 

IM  - mrowe@jabber.org                Prof - ACM, IEEE, Computer Soc.
Web - 
http://www.mojain.com/          Vice - Barley malt, brewed or
Key - 
http://mojain.com/keys/mrowe.asc       distilled (hold the ice)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com