Re: Packet from port 80 with spoofed microsoft.com ip

• Previous message: Deus, Attonbitus: "Re: MSDE contained in... (MS Office ? really ?)"
• In reply to: Michael Rowe: "Packet from port 80 with spoofed microsoft.com ip"
• Next in thread: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
• Reply: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 29 Jan 2003 09:06:13 -0800
From: Chris Wilkes <cwilkes@ladro.com>
To: incidents@securityfocus.com

On Wed, Jan 29, 2003 at 09:46:53PM +1100, Michael Rowe wrote:
>
> I received a packet on my cable modem today, allegedly from
> microsoft.com:
>
> 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

Do you have any MS computers at home set to automatically check
microsoft's site for updates?

I thought I had it turned off but poking around the GUI I found under
Control Panel - Servers "Automatic Update" set to Automatic. What's odd is
that it isn't in my tray and I thought I disabled it.

> No one was home at this time, and no computer running windows was
> active, so I'm pretty sure this was not legit traffic (unless it was a
> *very* delayed ack from a microsoft server, like > 6 hours. I guess
> this is conceivable, given their current, er, issues :).

By "active" do you mean "turned off"?

Chris

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Jos Kirps|EducDesign: "Firewall logging port 6346"
• Previous message: Deus, Attonbitus: "Re: MSDE contained in... (MS Office ? really ?)"
• In reply to: Michael Rowe: "Packet from port 80 with spoofed microsoft.com ip"
• Next in thread: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
• Reply: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How to decide whether a window update should be installed or n ... around 60 computers. ... >> Automatic Update detects whether a window update should be installed or not. ... >> updates have been installed and what updates you should install. ... > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ... (microsoft.public.windowsupdate) RE: Open letter to MS ... automatic update on its 15 Windows SP computers has kept us out of problems. ... We did receive a Windows XP SP2 CD and installed it on all computers. ... > migrating my users over to Linux. ... (microsoft.public.windowsxp.general) Is windows update possible without administrator rights ... I have a very annoying problem in our company. ... windows XP computers and it seems that microsoft automatic update ... can't update the computers when they are logged in with their power ... while and update computers with administrator rights. ... (microsoft.public.windowsupdate) Update KB950749 and Error Code Dx80070005 ... I'm new to computers and this group. ... Automatic Update KB950749 failed to install today and yesterday. ... I see in one spot that there is no Microsoft charge for ... (microsoft.public.windowsupdate) Re: SP2 Not Showing Up In AU ... The first thing that caught my eye was "Not all ... computers, just a limited number a day." ... and had no issues downloading SP1 when it was ... >> No matter what settings I have under Automatic Update, ... (microsoft.public.windowsxp.general)