hacked.e-microsoft.net attacks!!!
Mike Klinke
mklinke at axsi.com
Sat Sep 10 19:24:47 UTC 2005
On Saturday 10 September 2005 13:06, Opesh Alkara wrote:
> > >
> > > [root at Firewall root]# tcpdump -i eth0 | grep microsoft
> > > tcpdump: listening on eth0
> > > 14:45:47.637597 188.26.25.113.1271 >
> > > hacked.e-microsoft.net.http: S 2122645504:2122645504(0) win
> > > 16384
> >
> > The incrementing 188.26.25.... addresses seem to be
> > unallocated. Possibly a spoofed source IP address trying to
> > locate/infect a vulnerable http port.
>
188.26.25.113.1271 > hacked.e-microsoft.net.http
This part says that IP address 188.26.25.113, port 1271 is trying to
connect to 'hacked.e-microsoft.net, port 80 (http).
You can use the "-n" paramter with tcpdump to see the IP address
rather than the domain name. ( This tells tcpdump not to use DNS )
> Is this IP trying to attack to port 16384? What does this
> sequence numbers [2122645504:2122645504(0)] and "win"
> signifies...??...
They are literaly called "tcp sequence numbers" in form
[first:last(number of bytes)] and the "win" bit says that the
available packet receive window is 16384 bytes.
Since this machine is a gateway, do you see these packets on your
internal network facing interface? ( I'm assuming that eth0 is your
external Internet facing interface )
Regards, Mike Klinke
More information about the redhat-list
mailing list