Hey all. Yesterday I started noticing some very odd traffic on our firewall. We were getting scanned by IP address 127.0.0.1 with a port of 80, and destined to a random internal IP address, high port number. I used tcpdump to see what was going on and the packets were TCP RST/ACKs. We used MAC addresses to trace the source back to a few internal machines infected with MSBlaster. When we cleaned them, the scans stopped. Has anyone else seen this? We don't have any entries for Windowsupdate.com on 127.0.0.1 as suggested earlier in the list, but AFAIK that IP should NEVER show up on a network, and it even went through a few routers. There was no stimulus to elicit the RST/ACK response either. In the meantime, I will try and find some tcpdump traces of it. I have the executable that seems to have caused it and I will try and duplicate it in a controlled environment. Thanks -Jason Jason Thompson Security Analyst Networks and Communications xwave ------------------------- This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. Le present courriel (y compris toute piece jointe) s'adresse uniquement a son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilegies ou confidentiels. Si vous n'etes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon. Si vous avez recu le present courriel par erreur, priere de communiquer avec l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie electronique ou imprimee de celui-ci, immediatement. Nous sommes reconnaissants de votre collaboration. --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 09:52:15 PDT