Looks like the Netspree worm. We had it infect 3 or 4 PCs yesterday. It floods the network with broadcast packets on port 80 with spoofed source IPs. Cheers - Colin. -----Original Message----- From: Michael Rowe [mailto:mroweat_private] Sent: Friday, 31 January 2003 12:22 a.m. To: incidentsat_private Subject: Re: Packet from port 80 with spoofed microsoft.com ip On 03/01/29 14:11 -0600, NESTING, DAVID M (SBCSI) wrote: > Are you SURE nothing on your end would have attempted to initiate a > connection to this site? When you say your Windows computers weren't > "active", did you mean they were physically powered off, or just idle? Yeah, turned off. On balance, it seems like the mostly likely explaination is my IP being used in a spoofed SYN attack. A distant second: the MS web server sending a wildly delayed ack to a legitimate connection. Thanks for the responses! -- Michael Rowe <mroweat_private> IM - mroweat_private Prof - ACM, IEEE, Computer Soc. Web - http://www.mojain.com/ Vice - Barley malt, brewed or Key - http://mojain.com/keys/mrowe.asc distilled (hold the ice) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 11:23:32 PST