Re: hacked.e-microsoft.net attacks!!!

Opesh Alkara <opeshalkara@xxxxxxxxx> · Sat, 10 Sep 2005 23:51:19 +0545

HI Mike

On 9/10/05, Mike Klinke <mklinke@xxxxxxxx> wrote:

> On Saturday 10 September 2005 03:40, Opesh Alkara wrote:
> 
> > I am getting some strange attacks on my gateway-firewall...here
> > is the scrap of the tcpdump command that displays the traffic
> > transaction on my gateway/firewall:
> >
> > [root@Firewall root]# tcpdump -i eth0 | grep microsoft
> > tcpdump: listening on eth0
> > 14:45:46.636128 188.26.25.111.1796 > hacked.e-microsoft.net.http:
> > S 1395392512:1395392512(0) win 16384
> > 14:45:47.136837 188.26.25.112.1217 > hacked.e-microsoft.net.http:
> > S 40173568:40173568(0) win 16384
> > 14:45:47.637597 188.26.25.113.1271 > hacked.e-microsoft.net.http:
> > S 2122645504:2122645504(0) win 16384
> 
> The incrementing 188.26.25.... addresses seem to be unallocated.
> Possibly a spoofed source IP address trying to locate/infect a
> vulnerable http port.

 Is this IP trying to attack to port 16384? What does this sequence numbers 
[2122645504:2122645504(0)] and "win" signifies...??...

 Is your own DNS resolving your machine/network as
> "hacked.e-microsoft.net <http://hacked.e-microsoft.net>"? I get NXDOMAIN 
> here.

 NO
 Had it been so....it would have shown my pub/priv IPs when I initially 
digged the URL....still when I dig it....it shows me nothing....
 firewall uses my nameserver.....(/etc/resolv.conf)
  FYI.....

[root@Firewall root]# 
[root@Firewall root]# dig hacked.e-microsoft.net<http://hacked.e-microsoft.net>

; <<>> DiG 9.2.4 <<>> hacked.e-microsoft.net <http://hacked.e-microsoft.net>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65076
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hacked.e-microsoft.net <http://microsoft.net>. IN A

;; AUTHORITY SECTION:
net. 10800 IN SOA a.gtld-servers.net <http://a.gtld-servers.net>. 
nstld.verisign-grs.com <http://nstld.verisign-grs.com>. 1126374967 1800 900 
604800 900

;; Query time: 299 msec
;; SERVER: XXX.XXX.XXX.XXX #53(203.199.179.83 <http://203.199.179.83>)
;; WHEN: Sat Sep 10 23:36:50 2005
;; MSG SIZE rcvd: 113

[root@Firewall root]#

 $host e-microsoft.net <http://e-microsoft.net>
> Host e-microsoft.net <http://e-microsoft.net> not found: 3(NXDOMAIN)
> 
> 
> Regards, Mike Klinke
> 

Kindly Advice...
 Thanks,
Oopss..
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list