[Dshield] Unknown.level3.net:80 attempted to attack my husband's pc
ed.truitt at etee2k.net
Thu Aug 29 11:55:46 GMT 2002
I am sorry, but I don't think this is "proof" of a hack attempt. I checked
unknown.level3.net, and it is running an AkamaiGHost web server. The
"proof" shows a connection to the HTTP (Web server) port (TCP 80). You were
surfing the net. I would expect such connections to take place.
I have never explicitly typed in an Akamai web server address, yet my Squid
logs show that I connect to their boxes all the time. I suspect it has to
do with graphic images or other inline content from their systems being
present on web pages I do visit. In this regard, your husband's suspicion
that it might be an "ad site" is a reasonable one.
If you really feel that you are being hacked by level3.net's servers, I
would contact their abuse desk (abuse @ level3.net). They appear to be a
telecom and network provider on an international scale, so if one of their
corporate servers is infected they will want to know about it. I have
reported problems to them before, and IIRC they are pretty responsive.
But, I'll say it again - this DOES NOT LOOK like a hack attempt to me, based
on the data presented.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
----- Original Message -----
From: "L. R." <linlu at yahoo.com>
To: <list at dshield.org>
Sent: Wednesday, August 28, 2002 10:01 PM
Subject: [Dshield] Unknown.level3.net:80 attempted to attack my husband's pc
> In response to ths post by Linda...
> Subject: [Dshield] Proof of hacker. What do I do?
> Reply-To: list at dshield.org
> TCP d2f2t6:nbsession d2f2t6:0 LISTENING
> TCP d2f2t6:2068 d2f2t6:0 LISTENING
> TCP d2f2t6:2070 d2f2t6:0 LISTENING
> TCP d2f2t6:2073 d2f2t6:0 LISTENING
> TCP d2f2t6:2074 d2f2t6:0 LISTENING
> TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
> Tonight my hubbies machine was attacked, this was while using
> Opera as the browser, not IE. Without clicking on any unknown
> links. The only thing out of the ordinary was that he was going
> to a war driving tools site. I am on the same site, but I have
> nothing, might just be a coincidence.
> The odd thing was that it was attempting to establish a
> connection via Opera's existing connection according to netstat
> and tcpview (being port scanned in the 2500 range). However,
> cookie management is halfway on, so I guess it couldn't do what
> it needed to do. So in other words it got past ZoneAlarm PRO, I
> wonder exactly what prevented it from getting connected. Note,
> we have a h/w firewall as well.
> His defense after an initial confirmation of who it was using
> nslookup was to shutdown. He has rebooted and they're gone.
> All we have of proof of this is a few text files of netstat &
> tcpview while they were attempting to connect.
> Can anyone shed some light on this. We're not neophytes, and we
> take prudent measures to secure ourselves - what more can we do.
> We've got defense in depth, secure pws, don't share, firewalls,
> etc. Lucky for us we're naturally paranoid so anytime activity
> lights go up, we look to see what is happening. That was the
> only way he knew something was up.
> Oh and he theorizes the attack could have originated from an ad
> site. I block ad sites in my cookie manager, he was still in
> the process of setting his up.
> - linlu
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list