[Dshield] Unknown.level3.net:80 attempted to attack my husband's pc

Coxe, John B. JOHN.B.COXE at saic.com
Thu Aug 29 14:45:36 GMT 2002


I thought my response that posted (as ALEPH0) on the 27th was correct still.
You are misinterpretting the netstat output here.  "TCP d2f2t6:2068
unknown.level3.net:80 ESTABLISHED" simply means you have initiated a port 80
(=http=www) connection to the host unknown.level3.net.  The high level port
numbers (2068, ...) are local and are not port scan.  Sequencing will have
that look only because when you hit a site you might make several
connections to pull down images and other embedded html items.  In this
case, you might get:

Images/dot_clear.gif
images/home_logo.gif
Images/intl_icon.gif
userimages/productsFP0.gif
userimages/ACF1B.gif
userimages/dot_clear.gif
userimages/bullet.gif
userimages/careersFPO.gif
userimages/level3newsFPO.gif
userimages/DotCom/en_US/images/kaugman_bro_8-02.jpg
.
.
.

Here's what your browser is doing (or close to it in case it's hitting a
virtual domain and/or subpage on that host).  Should have just done a HEAD
instead of GET, since I snipped it anyway.

# telnet unknown.level3.net 80
Trying 192.168.202.7...
Connected to unknown.level3.net.
Escape character is '^]'.
GET http://unknown.level3.net HTTP/1.0

HTTP/1.0 200 OK
Age: 45
Accept-Ranges: bytes
Date: Thu, 29 Aug 2002 14:17:23 GMT
Content-Length: 27612
Content-Type: text/html
Server: Microsoft-IIS/5.0
Content-Location: http://unknown.level3.net/544.html
Last-Modified: Thu, 29 Aug 2002 14:13:17 GMT
ETag: "fbcfa238664fc21:8b3"

(etc etc etc)

"TCP d2f2t6:nbsession d2f2t6:0 LISTENING" is Windows netbios.  The
origination and destination ports are your local interface.  How is that a
hack?

Unless people understand how to interpret the data and reports from
firewalls, network monitors, and other security applications, a lot of
unnecessary panic is going to happen.  But it is always better to run a red
flag up the pole because you see something that might be a problem than the
opposite.

If you really think you are being hacked and you have these "attempts" to
connect, provide the data justifying your inquiry.  What you have sent
doesn't look in any way out of the ordinary, suspicious or evil.



-----Original Message-----
From: L. R. [mailto:linlu at yahoo.com]
Sent: Wednesday, August 28, 2002 8:01 PM
To: list at dshield.org
Subject: [Dshield] Unknown.level3.net:80 attempted to attack my
husband's pc


In response to ths post by Linda...
---snip
Subject: [Dshield] Proof of hacker. What do I do?
Reply-To: list at dshield.org

TCP d2f2t6:nbsession d2f2t6:0 LISTENING
 TCP d2f2t6:2068 d2f2t6:0 LISTENING
TCP d2f2t6:2070 d2f2t6:0 LISTENING
TCP d2f2t6:2073 d2f2t6:0 LISTENING
TCP d2f2t6:2074 d2f2t6:0 LISTENING
TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
--snip

Tonight my hubbies machine was attacked, this was while using
Opera as the browser, not IE.  Without clicking on any unknown
links.  The only thing out of the ordinary was that he was going
to a war driving tools site.  I am on the same site, but I have
nothing, might just be a coincidence.

The odd thing was that it was attempting to establish a
connection via Opera's existing connection according to netstat
and tcpview (being port scanned in the 2500 range).  However,
cookie management is halfway on, so I guess it couldn't do what
it needed to do.  So in other words it got past ZoneAlarm PRO, I
wonder exactly what prevented it from getting connected.  Note,
we have a h/w firewall as well.

His defense after an initial confirmation of who it was using
nslookup was to shutdown.  He has rebooted and they're gone. 
All we have of proof of this is a few text files of netstat &
tcpview while they were attempting to connect.

Can anyone shed some light on this.  We're not neophytes, and we
take prudent measures to secure ourselves - what more can we do.
 We've got defense in depth, secure pws, don't share, firewalls,
etc.  Lucky for us we're naturally paranoid so anytime activity
lights go up, we look to see what is happening.  That was the
only way he knew something was up.

Oh and he theorizes the attack could have originated from an ad
site.  I block ad sites in my cookie manager, he was still in
the process of setting his up.

- linlu

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list