[Dshield] Unknown.level3.net:80 attempted to attack my husband's pc

Ed Truitt ed.truitt at etee2k.net
Thu Aug 29 11:55:46 GMT 2002

I am sorry, but I don't think this is "proof" of a hack attempt.  I checked
unknown.level3.net, and it is running an AkamaiGHost web server.  The
"proof" shows a connection to the HTTP (Web server) port (TCP 80).  You were
surfing the net.  I would expect such connections to take place.

I have never explicitly typed in an Akamai web server address, yet my Squid
logs show that I connect to their boxes all the time.  I suspect it has to
do with graphic images or other inline content from their systems being
present on web pages I do visit.  In this regard, your husband's suspicion
that it might be an "ad site" is a reasonable one.

If you really feel that you are being hacked by level3.net's servers, I
would contact their abuse desk (abuse @ level3.net).  They appear to be a
telecom and network provider on an international scale, so if one of their
corporate servers is infected they will want to know about it.  I have
reported problems to them before, and IIRC they are pretty responsive.

But, I'll say it again - this DOES NOT LOOK like a hack attempt to me, based
on the data presented.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "L. R." <linlu at yahoo.com>
To: <list at dshield.org>
Sent: Wednesday, August 28, 2002 10:01 PM
Subject: [Dshield] Unknown.level3.net:80 attempted to attack my husband's pc

> In response to ths post by Linda...
> ---snip
> Subject: [Dshield] Proof of hacker. What do I do?
> Reply-To: list at dshield.org
> TCP d2f2t6:nbsession d2f2t6:0 LISTENING
>  TCP d2f2t6:2068 d2f2t6:0 LISTENING
> TCP d2f2t6:2070 d2f2t6:0 LISTENING
> TCP d2f2t6:2073 d2f2t6:0 LISTENING
> TCP d2f2t6:2074 d2f2t6:0 LISTENING
> TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
> --snip
> Tonight my hubbies machine was attacked, this was while using
> Opera as the browser, not IE.  Without clicking on any unknown
> links.  The only thing out of the ordinary was that he was going
> to a war driving tools site.  I am on the same site, but I have
> nothing, might just be a coincidence.
> The odd thing was that it was attempting to establish a
> connection via Opera's existing connection according to netstat
> and tcpview (being port scanned in the 2500 range).  However,
> cookie management is halfway on, so I guess it couldn't do what
> it needed to do.  So in other words it got past ZoneAlarm PRO, I
> wonder exactly what prevented it from getting connected.  Note,
> we have a h/w firewall as well.
> His defense after an initial confirmation of who it was using
> nslookup was to shutdown.  He has rebooted and they're gone.
> All we have of proof of this is a few text files of netstat &
> tcpview while they were attempting to connect.
> Can anyone shed some light on this.  We're not neophytes, and we
> take prudent measures to secure ourselves - what more can we do.
>  We've got defense in depth, secure pws, don't share, firewalls,
> etc.  Lucky for us we're naturally paranoid so anytime activity
> lights go up, we look to see what is happening.  That was the
> only way he knew something was up.
> Oh and he theorizes the attack could have originated from an ad
> site.  I block ad sites in my cookie manager, he was still in
> the process of setting his up.
> - linlu
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list