I'm a newbie at interpreting this, but it sounds like a response from the Web server at 207.68.176.190 (auto.search.msn.com). I'm assuming you are using NAT on your firewall and that 9491 is an ephemeral port for one of your client's http requests to auto.search.msn.com.
It appears as if the site is running IIS 5.0: lynx -head http://207.68.176.190 HTTP/1.0 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 01 Feb 2002 18:11:27 GMT Cache-Control: private Content-Type: text/html Content-Length: 28254 Perhaps the owner of the Web server process is root, and that this is normal behavior for IIS 5.0/this particular site. The 207.68.176.190 netblock is registered to Microsoft after doing an ARIN whois. Sounds like normal activity to me! I'd be happy to hear other analyses of this traffic. Kind regards, Brandon Hutchinson On Friday 01 February 2002 07:25 am, Martin Smith wrote: > Am I reading this right? Someone at the other end is coming from a root > account. > > [**] [1:498:2] ATTACK RESPONSES id check returned root [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 01/31-14:27:26.388959 207.68.176.190:80-> 10.1.50.1:9491 > TCP TTL:62 TOS:0x0 ID:12412 IpLen:20 DgmLen:1476 > ***AP*** Seq: 0xD0B54E63 Ack: 0xA86D0E3A Win: 0xFFFF TcpLen: 20 > > > The 10.1.50.1 (for security) is our firewall.... > > > > Thanks for your help > > Marty > > _________________________________________________________________ > Join the world�s largest e-mail service with MSN Hotmail. > http://www.hotmail.com
