hacked.e-microsoft.net attacks!!!
Opesh Alkara
opeshalkara at gmail.com
Sat Sep 10 18:06:19 UTC 2005
HI Mike
On 9/10/05, Mike Klinke <mklinke at axsi.com> wrote:
> On Saturday 10 September 2005 03:40, Opesh Alkara wrote:
>
> > I am getting some strange attacks on my gateway-firewall...here
> > is the scrap of the tcpdump command that displays the traffic
> > transaction on my gateway/firewall:
> >
> > [root at Firewall root]# tcpdump -i eth0 | grep microsoft
> > tcpdump: listening on eth0
> > 14:45:46.636128 188.26.25.111.1796 > hacked.e-microsoft.net.http:
> > S 1395392512:1395392512(0) win 16384
> > 14:45:47.136837 188.26.25.112.1217 > hacked.e-microsoft.net.http:
> > S 40173568:40173568(0) win 16384
> > 14:45:47.637597 188.26.25.113.1271 > hacked.e-microsoft.net.http:
> > S 2122645504:2122645504(0) win 16384
>
> The incrementing 188.26.25.... addresses seem to be unallocated.
> Possibly a spoofed source IP address trying to locate/infect a
> vulnerable http port.
Is this IP trying to attack to port 16384? What does this sequence numbers
[2122645504:2122645504(0)] and "win" signifies...??...
Is your own DNS resolving your machine/network as
> "hacked.e-microsoft.net <http://hacked.e-microsoft.net>"? I get NXDOMAIN
> here.
NO
Had it been so....it would have shown my pub/priv IPs when I initially
digged the URL....still when I dig it....it shows me nothing....
firewall uses my nameserver.....(/etc/resolv.conf)
FYI.....
[root at Firewall root]#
[root at Firewall root]# dig hacked.e-microsoft.net<http://hacked.e-microsoft.net>
; <<>> DiG 9.2.4 <<>> hacked.e-microsoft.net <http://hacked.e-microsoft.net>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65076
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;hacked.e-microsoft.net <http://microsoft.net>. IN A
;; AUTHORITY SECTION:
net. 10800 IN SOA a.gtld-servers.net <http://a.gtld-servers.net>.
nstld.verisign-grs.com <http://nstld.verisign-grs.com>. 1126374967 1800 900
604800 900
;; Query time: 299 msec
;; SERVER: XXX.XXX.XXX.XXX #53(203.199.179.83 <http://203.199.179.83>)
;; WHEN: Sat Sep 10 23:36:50 2005
;; MSG SIZE rcvd: 113
[root at Firewall root]#
$host e-microsoft.net <http://e-microsoft.net>
> Host e-microsoft.net <http://e-microsoft.net> not found: 3(NXDOMAIN)
>
>
> Regards, Mike Klinke
>
Kindly Advice...
Thanks,
Oopss..
More information about the redhat-list
mailing list