On Saturday 10 September 2005 13:06, Opesh Alkara wrote: > > > > > > [root@Firewall root]# tcpdump -i eth0 | grep microsoft > > > tcpdump: listening on eth0 > > > 14:45:47.637597 188.26.25.113.1271 > > > > hacked.e-microsoft.net.http: S 2122645504:2122645504(0) win > > > 16384 > > > > The incrementing 188.26.25.... addresses seem to be > > unallocated. Possibly a spoofed source IP address trying to > > locate/infect a vulnerable http port. > 188.26.25.113.1271 > hacked.e-microsoft.net.http This part says that IP address 188.26.25.113, port 1271 is trying to connect to 'hacked.e-microsoft.net, port 80 (http). You can use the "-n" paramter with tcpdump to see the IP address rather than the domain name. ( This tells tcpdump not to use DNS ) > Is this IP trying to attack to port 16384? What does this > sequence numbers [2122645504:2122645504(0)] and "win" > signifies...??... They are literaly called "tcp sequence numbers" in form [first:last(number of bytes)] and the "win" bit says that the available packet receive window is 16384 bytes. Since this machine is a gateway, do you see these packets on your internal network facing interface? ( I'm assuming that eth0 is your external Internet facing interface ) Regards, Mike Klinke -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
