odd packets with 127.0.0.1:80 as source adres

[consultant]

I figured the old thread displayed the detail better, and since people often don't follow links to old threads they wouldn't have to...... that said, someone has already replied without reading the previous thread

I used the tcpdump args requested by a previous poster to provide more details.

I've since read the follwing URL. Not sure if it throws any light on the subject:

http://securityresponse.symantec.com...ster.worm.html

Also there is a nother lengthy thread here:

http://www.dslreports.com/forum/rema...flat~days=9999

Which culminated in the following link:

http://groups.google.com/groups?q=g:...40pita.alt.net

Apologies if I broke any etiquette by dredging up an old thread.

T.

[hexadecimal]

no i didnt have time...was at school doing some extra work after hours on my term paper and i swung buy...reading it now

[SirDice]

"Reroute windowsupdate.com to 127.0.0.1. This may result in lots of
RSTs on your network (Windows may send RSTs from 127.0.0.1 to the
spoofed addresses)"

Argh! This means windows doesn't follow RFC-1122 (see my previous post regarding rfc-1122). I'm not ready to believe that. I'll accuse MS from doing all sorts of stuff but most of the time they follow RFCs to the letter.

Unfortunately, I still haven't found anything And AFAIK it's still going on.

[wassup]

Originally posted here by SirDice
The source mac adres is our ISP router

this is not something out of the normal. as the frame passes through your router it strips off the frae and then adds its own frame.

[SirDice]

Originally posted here by wassup
this is not something out of the normal. as the frame passes through your router it strips off the frae and then adds its own frame.

No ****?!?

I posted that info so everyone knows the packets are originating from the Internet and not from our own netwerk.