This looks like a normal reply to a TCP connection from your system to port 80 of this web site. The S to the right of the address/port should indicate the SYN flag is set, and the fact that the packet contains some ack data suggests it's acknowledging your connection request. Are you SURE nothing on your end would have attempted to initiate a connection to this site? When you say your Windows computers weren't "active", did you mean they were physically powered off, or just idle? Newer versions of Windows will "phone home" to check for software updates. David -----Original Message----- From: Michael Rowe [mailto:mroweat_private] Sent: Wednesday, 29 January, 2003 04:47 To: incidentsat_private Subject: Packet from port 80 with spoofed microsoft.com ip > 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:36:17 PST