[Dshield] Unknown.level3.net:80 attempted to attack my husband's pc

David Garfield garfield at irving.iisd.sra.com
Fri Aug 30 15:33:38 GMT 2002

L. R. writes:
 > In response to ths post by Linda...
 > ---snip
 > Subject: [Dshield] Proof of hacker. What do I do?
 > Reply-To: list at dshield.org
 > TCP d2f2t6:nbsession d2f2t6:0 LISTENING
 >  TCP d2f2t6:2068 d2f2t6:0 LISTENING
 > TCP d2f2t6:2070 d2f2t6:0 LISTENING
 > TCP d2f2t6:2073 d2f2t6:0 LISTENING
 > TCP d2f2t6:2074 d2f2t6:0 LISTENING
 > TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
 > --snip

I am amazed at the number of people who look at this and say "it is
port 80, therefore it is an outgoing web request".

When I look up 4 lines, I see that there is apparently a server on
port 2068, which means the connection may in fact be INCOMING!

This could indicate a real hole!  This would typically be because of
sloppy configuration, allowing any connection with an external port of
80, instead of only allowing any outgoing connection with an external
port of 80.  In short, please examine in detail the rules for your
firewalls, paying particular attention to whether the rule applies to
new inbound connections, new outbound connections, any new
connections, established connections, or all connections.

--David Garfield

More information about the list mailing list