Full Disclosure mailing list archives

RE: Odd packet?

From: <full-disclosure () nym hush com>
Date: Fri, 28 May 2004 06:13:51 -0700

Ok.  It seems the case described.  A spoofed packet with your 
IP as the source tries to connect to the compromised machine 
to port 80 at localhost.  The compromised machine doesn't have a
webserver listening at 127.0.0.1:80 so the tcp stack replyes 
ACK RST and sends this packet to your spoofed address.



Unlikely.  If this were the case, the server would reply with RST, not
RST, ACK.  There's too little information to come to any conclusion at
this point.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Odd packet?, (continued)
- - - Re: Odd packet? Steffen Schumacher (May 26)
    - Re: Odd packet? Mike Klinke (May 26)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 27)
  - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 25)
    - Re: Odd packet? Maarten (May 25)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- RE: Odd packet? full-disclosure (May 25)
  - Re: Odd packet? Gregh (May 25)
- Re: Odd packet? full-disclosure (May 26)
- Re: Odd packet? Skip Duckwall (May 26)
- RE: Odd packet? full-disclosure (May 28)
- RE: Odd packet? full-disclosure (May 28)