[Dshield] Unknown.level3.net:80 attempted to attack my husband's pc

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Aug 29 09:53:45 GMT 2002


list-admin at dshield.org <mailto:list-admin at dshield.org> scribbled on
Thursday, August 29, 2002 6:01 AM:

> In response to ths post by Linda...
> ---snip
> Subject: [Dshield] Proof of hacker. What do I do?
<snip>
> 
> Tonight my hubbies machine was attacked, ...
<snip>
> The odd thing was that it was attempting to establish a
> connection via Opera's existing connection according to netstat
> and tcpview (being port scanned in the 2500 range).
<snip>
> Can anyone shed some light on this.
<snip>
> Oh and he theorizes the attack could have originated from an ad
> site.  I block ad sites in my cookie manager, he was still in
> the process of setting his up.
> 
> - linlu
> 
<snip>

L. R. or linlu, et al.

Should this fall into the category of so-called urban legends or
seriously [preferably not dramatically] taken issue(s)?

Understanding that 'it' "in other words got past" the 'Snake Oil'
related thing -- as referred to by some so called [general] experts --
but how on earth did 'it' bypass a HW FW? Was the HW FW perhaps out of
duty? This is the most confusing part. On the other hand, if the HW FW
was not on vacation, could it be just thanks to the HW FW your husband
still has more than just remnants of a well functioning system.

- Pete

PS. What are the details for the "connection attempt"?

Your husband's theory may well be a good one.

1) Can you check the address for the connection attempt?
2) And verify whether it is ad-hosting services related?
3) If it is, please consider adding that DNS name or IP address to the
blocked zone of your SW FW.
4) Unless you specifically do that, it is a licit connection based on
link on the site visited by your husband.
5) Not even a SW FW is supposed to block [by default] Authenticated
response(s) to Authorised connection(s).

[Providing you still utilize a "Personal Firewall". Believing even
fragments of opinions on "futility" of "Personal Firewalls" expressed on
this forum and following respective "recommendations" kindly given --
apparently to be interpreted as "not to use 'Personal Firewalls'"].

In either case-

5) Consider reverting the ad-hosting services related IP address refer
to the loop back adapter of your husbands PC. This prevents the possibly
irrelevant connection attempt as well. In addition to that, the
re-routing may not log into the SW FW's log file -- depending on SW FW
settings.

Best of luck,
Peter




More information about the list mailing list