[Dshield] Proof of hacker. What do I do?

ALEPH0 aleph0 at pacbell.net
Tue Aug 27 07:17:57 GMT 2002

Looks normal to me.  Your browser hit (initialized from you) level3 on the
web, establishing connections for the for a page and others for graphics.
Netbios broadcasts from inside.  And some localhost stuff.  Whould hope your
firewall wouldn't stop you from browsing the web.  Large files might be
sniffer output or logs generated by tcpview.  I don't use it.  But others
like tcpdump (*n*x) and snoop (Solaris) do this for you if you want.

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Sent: Monday, August 26, 2002 8:00 AM
To: list at dshield.org
Subject: [Dshield] Proof of hacker. What do I do?

TCP d2f2t6:nbsession d2f2t6:0 LISTENING
 TCP d2f2t6:2068 d2f2t6:0 LISTENING
TCP d2f2t6:2070 d2f2t6:0 LISTENING
TCP d2f2t6:2073 d2f2t6:0 LISTENING
TCP d2f2t6:2074 d2f2t6:0 LISTENING
TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
UDP d2f2t6:nbname *:*
UDP d2f2t6:nbdatagram *:*
UDP d2f2t6:1978 *:*
What I did was install TCPVIEW. THen I went into netstat. What I think is
being stopped at my firewall is not being stopped. They are into dos.
Here is my event log that corresponds with this.
2002/08/24 20:50:05 (unknown.Level3.net)
Port 1074 (TCP)
2002/08/24 20:35:48 (unknown.Level3.net)
Port 1075 (TCP)

I didn't get it all copies over because there are 8 entries on the firewall
in a row.

There are also large files showing up that I don't know what they are.


Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list