[Dshield] Unknown.level3.net:80 attempted to attack my husband's pc

L. R. linlu at yahoo.com
Thu Aug 29 03:01:13 GMT 2002

In response to ths post by Linda...
Subject: [Dshield] Proof of hacker. What do I do?
Reply-To: list at dshield.org

TCP d2f2t6:nbsession d2f2t6:0 LISTENING
 TCP d2f2t6:2068 d2f2t6:0 LISTENING
TCP d2f2t6:2070 d2f2t6:0 LISTENING
TCP d2f2t6:2073 d2f2t6:0 LISTENING
TCP d2f2t6:2074 d2f2t6:0 LISTENING
TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED

Tonight my hubbies machine was attacked, this was while using
Opera as the browser, not IE.  Without clicking on any unknown
links.  The only thing out of the ordinary was that he was going
to a war driving tools site.  I am on the same site, but I have
nothing, might just be a coincidence.

The odd thing was that it was attempting to establish a
connection via Opera's existing connection according to netstat
and tcpview (being port scanned in the 2500 range).  However,
cookie management is halfway on, so I guess it couldn't do what
it needed to do.  So in other words it got past ZoneAlarm PRO, I
wonder exactly what prevented it from getting connected.  Note,
we have a h/w firewall as well.

His defense after an initial confirmation of who it was using
nslookup was to shutdown.  He has rebooted and they're gone. 
All we have of proof of this is a few text files of netstat &
tcpview while they were attempting to connect.

Can anyone shed some light on this.  We're not neophytes, and we
take prudent measures to secure ourselves - what more can we do.
 We've got defense in depth, secure pws, don't share, firewalls,
etc.  Lucky for us we're naturally paranoid so anytime activity
lights go up, we look to see what is happening.  That was the
only way he knew something was up.

Oh and he theorizes the attack could have originated from an ad
site.  I block ad sites in my cookie manager, he was still in
the process of setting his up.

- linlu

Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes

More information about the list mailing list