Hello all... I'd just be curious if anyone else saw a similar sort of behaviour recently... I was dealing with an unrelated problem at the time, and happened to observe our firewall logs during this period... From 02:17 (GMT) to 02:26, our firewall logged 399 examples of traffic from 'microsoft.com' (the log had DNS lookup applied, but I can see from the raw logs that these were various machines, mostly 207.46.x.x) to most of our hosts here. The traffic always has a source port of 80, and dst port around the 1024-1200 range, pretty symptomatic of normal web-browsing... What was odd, of course, is the timing (hardly anyone would have been here) and the inclusion of machines that I pretty much know were either a) turned off b) non-Windows servers ... Was this just the sign of a big spoofed scan, but if so, how come I can't see any indication of an IP address that doesn't resolve to microsoft.com? ... --------------------------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 11:03:08 PDT