[Dshield] Anyone else??

John Hardin johnh at aproposretail.com
Tue Jul 2 15:42:04 GMT 2002


On Tue, 2002-07-02 at 07:31, TranceDylan wrote:
> 
> It's just a shot in the dark, but have you ruled out someone on the network
> attaching to "windows update" and then quitting the conn b4 the update has
> completed?

That wouldn't generate traffic to a local port 80.

> > Is anyone else seeing continuous (non-stop) traffic from 207.46.138.20, it
> > is hitting our network block and looking for port 80?
> >
> > Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
> >    One Redmond Way
> >    Redmond, WA 98052
> >    US
> >
> >    Netname: MICROSOFT-GLOBAL-NET
> >    Netblock: 207.46.0.0 - 207.46.255.255

Got any packet captures? Save 'em. Good fodder for a news article: "MS
corporate systems compromised by IIS worm."

{evil grin}

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  Pay Per Boot is the logical goal of Microsoft's Palladium "secure
  computing" platform.
-----------------------------------------------------------------------
 15 days until Apropos Forum 2002




More information about the list mailing list