Re: Packet from port 80 with spoofed microsoft.com ip

From: Pat Wilson (pawat_private)
Date: Fri Jan 31 2003 - 13:42:01 PST

Next message: Nicholas Weaver: "The Spread of the Sapphire/Slammer Worm"

Previous message: Dave Laird: "Fwd: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
Next in thread: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hmm.  One of the writeups on Netspree says that it connects to an
IRC channel on "master.leet-gamer.net" which now reverses to
127.0.0.1.  Anyone know what its address was before someone was 
"helpful"?  Apparently the address is hardcoded in the worm
someplace, but I don't have a copy to play with (yet).

Thanks.


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
pawat_private
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

"Larsen, Colin" <colin.larsenat_private> writes:
>  
>  Looks like the Netspree worm. We had it infect 3 or 4 PCs yesterday. It
>  floods the network with broadcast packets on port 80 with spoofed source
>  IPs.
>  
>  Cheers - Colin.
>  -----Original Message-----
>  From: Michael Rowe [mailto:mroweat_private]
>  Sent: Friday, 31 January 2003 12:22 a.m.
>  To: incidentsat_private
>  Subject: Re: Packet from port 80 with spoofed microsoft.com ip
>  
>  
>  On 03/01/29 14:11 -0600, NESTING, DAVID M (SBCSI) wrote:
>  > Are you SURE nothing on your end would have attempted to initiate a
>  > connection to this site?  When you say your Windows computers weren't
>  > "active", did you mean they were physically powered off, or just idle?
>  
>  Yeah, turned off.
>  
>  On balance, it seems like the mostly likely explaination is my IP
>  being used in a spoofed SYN attack. A distant second: the MS web
>  server sending a wildly delayed ack to a legitimate connection.
>  
>  Thanks for the responses!
>  
>  -- 
>  Michael Rowe <mroweat_private>
>  
>  IM  - mroweat_private                Prof - ACM, IEEE, Computer Soc.
>  Web - http://www.mojain.com/          Vice - Barley malt, brewed or
>  Key - http://mojain.com/keys/mrowe.asc       distilled (hold the ice)
>  
>  
>  ----------------------------------------------------------------------------
>  This list is provided by the SecurityFocus ARIS analyzer service.
>  For more information on this free incident handling, management 
>  and tracking system please see: http://aris.securityfocus.com
>  
>  ----------------------------------------------------------------------------
>  This list is provided by the SecurityFocus ARIS analyzer service.
>  For more information on this free incident handling, management 
>  and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nicholas Weaver: "The Spread of the Sapphire/Slammer Worm"
Previous message: Dave Laird: "Fwd: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
Next in thread: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:33:22 PST