Re: netpay.tv connections

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 01/05/04

  • Next message: Moody, Chris: "RE: flood of SYN packets to port 110"
    Date: Mon, 5 Jan 2004 07:48:32 -0800 (PST)
    To: Dave <bugtraq@neuromancer.cx>, incidents@securityfocus.com
    
    

    Dave,

    Is Neuromancer (ah, a fan of Gibson) running a web
    server?

    Is Neurmancer running anything on port 80?

    Since these are all SYN packets that are being dropped
    anyway...what's your concern? I mean, have you tried
    pinging or scanning the source system to see if it
    exists, rather than speculating that it might be
    spoofed? You say that the site does not appear to be
    online, but what does that mean? Do pings fail? ICMP
    could be blocked.

    --- Dave <bugtraq@neuromancer.cx> wrote:
    >
    > For at least the past 36 hours I've been getting
    > connectons from netpay.
    > I'm not sure if they are spoofed or not. The site
    > doesnt appear to be
    > online. Anyone else seeing this?
    >
    > here is a snip of tcpdump. I'm dropping the packets
    > now though.
    > 16:26:04.384446 netpay.tv.50971 > neuromancer.http:
    > S
    > 2510312004:2510312004(0) win 32120 <mss
    > 1460,sackOK,timestamp 1054041
    > 1342177280,nop,wscale 0> (DF)
    > 16:26:23.879499 netpay.tv.10914 > neuromancer.http:
    > S
    > 145676099:145676099(0) win 32120 <mss
    > 1460,sackOK,timestamp 7689247
    > 1073741824,nop,wscale 0> (DF)
    > 16:26:43.380204 netpay.tv.27754 > neuromancer.http:
    > S
    > 3896401425:3896401425(0) win 32120 <mss
    > 1460,sackOK,timestamp 3454532
    > 2130706432,nop,wscale 0> (DF)
    > 16:27:03.943005 netpay.tv.3174 > neuromancer.http: S
    > 1901546852:1901546852(0) win 32120 <mss
    > 1460,sackOK,timestamp 2582705
    > 2113929216,nop,wscale 0> (DF
    >
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Moody, Chris: "RE: flood of SYN packets to port 110"