portland independent media center  
images audio video
newswire article commentary global

corporate dominance | education | government

Unknown.level3.net is at it again. These two are not part of Yahoo!

Level3.net, the backbone of our internet service is a open door for those who want to disrupt internet service to anyone seeking truthful information about current breaking news from around the World or locally.
Proof is in the pudding folks. You have to go through them to get to any site on the web. This is the reality of being connected to any Internet Service Provider who uses Level3.net for connecting to the World Wide Web.

If you are using software developed here chances are there are backdoors to let prying eyes look into your private affairs, data stored on your hard drive, letters you may have written to loved one's. Correspondence to associates concerning buniness deals and the like, can be retrieved without your consent or knowledge when you connect to the web and going through "level3.net."

I spend my time collecting information from news sources and archiving them as a record of todays news from around the World. One very important bit of gathering news stories is that some are pulled from the web and you can not retrieve them in the future for reference in attempting to make a state about what really happened, since there is a strong movement to attempt to rewrite history and the only proof you have is no longer available to counter this activity.

Try finding any Pictures of war casualties or images showing the death and destruction coming out of Iraq?
try the following links 24.Nov.2003 11:53

I agree but

I agree but try following links: 24.Nov.2003 11:54

another no body

proxy servers and yahoo.com 24.Nov.2003 12:10


I think you are saying is that when you access yahoo.com you get a log entry of two http connections to unknown.level3.net? If so I think what you are seeing is a web cache similar to those used by www.akamai.com to store local copies of the images for common websites at various locations around the web for faster "content" delivery. I used to visit sites like cnn.com and see http requests to various akamai.com addresses in my logs. After some researchng I found out that akamai had a web cache server co-located with our local ISP. The idea behind this is that when you pull up the website cnn.com or yahoo.com you pull the images from the local webcache at your ISP for faster delivery of the web page and don't have to pull the images from the web (you still pull the html from yahoo.com) akamai actually sells this service to web sites. What you may have found is a similar web cache used by level3. But as a cisco certified network engineer I can tell you that seeing this behavioir in logs is not uncommon or an indication of anything sinister. If you could log the actually http requests with a sniffer on your end you should see the actual "get" requests going to the web cache. I think if you checked those you'd find that you are just being redirected for faster loading of yahoo.com images.

Everyone reading indymedia should know that email is not secure witt out something like PGP and all web surfing traffic can be logged at various points across the net.

also 24.Nov.2003 13:50


About the whole "stories getting pulled" thing; maybe some stories do get pulled, but the vast majority are simply not free to view after a certain point of time. This is because news websites cannot afford to become searchable archives because of restrictions on bandwidth and processing power. The New York Times, for example, would be swamped with HTML requests if they were to suddenly allow everyone in the world to search their archives without charge. It would be like a huge, unintentional DDoS attack.

No pictures only numbers 24.Nov.2003 19:04


It's true, just try to find the visuals to go with the numbers. Someone's keeping them away from our tender eyes.

Proxy servers and yahoo, jbk as you state? 27.Nov.2003 20:21

Unknown internet user

So! If I were to beleive these are web caches, I'd be a fool for even thinking these are indeed web caches. Far from it; I beleive that these ip addresses are john ashcroft's front door to anyone's computer to obtain what information you might have stored on your hard drive. If you want to connect to the web you have to go through level3.net. If you think I am not giving you the truth, try logging on and do a search using the following to find out if your ISP goes through level3.net from this site, tracing this IP address "" at:  http://www.samspade.org

Why you might think I make this statement about level3.net? Just take a long and hard look at the images. Notice that my firewall put up a stop on incoming traffic from level3.net for attempting to gain access to protected files on my hard drive: "level3.gif" or when I attempted to get my e-mail: "level3.net.gif"

These are not web caches folks, these are real people out there getting into your computer by way of level3.net.

There will always be chicken littles out there 15.Dec.2003 11:17


"THE SKY IS FALLING!" No, actually it's not. But there will always be paranoid chicken littles out there. Basically, these people are not stupid, just ignorant. They don't totally understand how something works, but they THINK they do. And this along with their paranoid personality allows them to make conclusions that are not based on fact at all. Level 3 is not hacking your computer, you just don't understand what you're seeing. The government is not deleting pictures of war causalities. The truth is that pictures of dismembered people are not something that 99.9% of people out there really want to see. Many hosts don't want pictures like that on their servers either. So, for the majority of cases, hosts removed pictures because it was considered vulgar. Try hosting pictures of dismembered people from car accidents on a free geocities host and see if gets deleted if it gets any kind of traffic to bring it to their attention. Actually, try to find pictures of dismembered people from car accidents on the web. It's probably about as hard as finding Iraq war pictures because "news flash" people really don't want to see that kind of stuff.

If you really want to see vulgar pictures of dismembered people, try looking at a site that does that kind of thing, like  http://www.rotten.com/ or other sources that love to post the stuff most people don't want to see.

You confuse your ability to search for things on the web with a conspiracy theory. I took about 2 minutes and found these dead bodies in Iraq for your viewing pleasure. I'm sure this won't change your mind because that's the thing about chicken little conspiracy theorists, they don't believe facts.

 link to www.rotten.com

If I spent an hour I could give you hundreds of pictures. But, it's not really my job to show you how poorly your searching skills are nor is it my job to be your mental therapist and help you with your paranoid delusions based upon ignorance.

Get a life and worry about yourself rather than others.


Outbound contact to the unknown 15.Jan.2004 16:23


Well as far fetched as somethings may be and folks 'not' understanding what is happening I believe links to unknown.Level3.net is something to be wary of. WHY??? Because during the day prior to blocking ANY and ALL inbound and outbound access to unknown.Level3.net when NO ONE was logged on to any of our computers they would OUTBOUND connect to unknown.Level3.net at 2:52PM EST via various ports not just http (80). Now why in the heck would my computers be connecting to others if they are 'ad' or 'caching' servers when no one was on the computers? I would call this questionable... And I did. All my boxes have now got defined rules to block in/out, any/all, from/to unknown.Level3.net. Problem solved here. Is yours? Cause if you are seeing unknown.Level3.net do this check. Close everything and do a netstat in the cli. You may be surprized to find your machine is connected to an unknown.Level3.net machine more than once. Even when you are not running anything that should be.

UknownLevel3.net is at it again. 22.Jan.2004 09:06


I'm not too sure about not being able to find pictures of death and disaster coming out of Iraq...but we have plenty of that in our own homeland on a daily basis...but on to my next statement about unknown.Level3.net. I noticed that everytime I logged on to internet there would be a message...detecting proxy connection..which I don't have.
Using Netstat device, I noticed several things: Before logging on, it showed 0 connectons, 1 open port(58581) and 1 Interface(My Computer Name). After I simply clicked on IE6, it detected 2 interfaces, the 2nd one being my ISP provider, but the IP address was not mine. It than showed 46 open ports and 20 established connections, all of which 10 were unknown.Level3.net, and it showed many other ports open waiting for connection.
I am not well versed in computers, but know that there shouldn't be that many connections when 1st logging on.
Does anyone have any suggestions or info about unknownLevel3.net?

I think I know who unknownlevel3 is! Care to help me prove it? 16.Apr.2005 08:54


I can tie unknowlevel3.net back to a company. Post your comment and I'll check this site again, I had no idea they were the cause of so much trouble. I need to know who do I send my information to other than legal?

unknown.Level3.net 09.Oct.2005 13:55

mr. Joe

all i know folks is that when this address pops up in my firewall my connection speed shots down to a mere 19600bps. why?? I don't know but it could mean a hack of some kind or maybe an upload. who knows?? but somthing is happening because when i disconnect and dial-up again it goes away.

unknown.Level3.net - svchost.exe 23.Aug.2006 09:08

Dan Pope dan (at) cytrus.net

Regardless of level3's presence as a webcache proxy, etc - I noticed network traffic earlier today, when I knew there should be none (this machine is my test server - I use it for all my development work). Wondering what the traffic was, I checked in TCPView (same as 'Netstat -a' from commandline) and got this:

svchost.exe:1988 TCP server4:3918 unknown.level3.net:http ESTABLISHED

There was traffic streaming so I immediately closed the connection and then added level3.net to my hosts file, pointing at localhost, then 'repaired' the connection (from network dialog box) so that the DNS would get flushed.

This is what anyone should do if they see this behaviour on their machine. It will prevent you from ever getting any outbound traffic to them again.

Note - the traffic was coming from svchost.exe, NOT iexplore.exe. There is no legitimate reason (on this machine anyway) that any services running would have accessed a webcache. Moreover, my ISP (in the UK) does not use level3.net. Thus I can only assume there was a malevolent program sending data to level3.net without my authorisation.

Unfortunately, you can't just 'kill' svchost. It is a short name meaning 'service host' - and it does exactly that - it is a part of windows that provides an environment for services to run on the machine. Usually there will be 5 or 6 instances of svchost running at once, each of which is hosting a different service. If you kill them, you will be shutting down essential services that windows needs to function. If you are really unlucky, you will kill the one hosting the RPCSS service, which will cause XP to force a shutdown, and you'll lose your work, etc. So don't do it!

However, if I had been quick-thinking enough, I would have captured the network traffic to see exactly what it actually contained, before closing the connection.

I am somewhat concerned that I may have an evil hidden network service on this machine. There is absolutely nothing in XP to stop viruses/spyware/adware installing itself as a network service, and thus not appearing as a running process in Task Manager. Services can also prevent themselves appearing in the list of services when you issue 'Net start' from the command line. Windows really is a hateful operating system - no two ways about it. Much as I prefer Linux, as is the case for so many people, the nature of my work means I have to use Windows. I can't stand it.

unknown.Level3.net - svchost.exe 18.Jan.2007 14:23



it might be some type of anti-virus, or anti-spyware program. Trendmicro uses akamai.com which is also a cacheing service. this doesn't mean that they aren't watching what you are doing. I've noticed that when a trendmicro update occurs there are more packets sent than received, sometimes as much as 10:1 ! I think they are just wanting to know where you go - they know who you are. This information can and will probably be used against you.

There is no privacy online - only the professional spammers, hackers, and the internet cabal (internet backbone admins), can freely cruise around anonymously. You can get something like anonymizer.com, but I can tell you they're not anonymous and are monitored, if you are being monitored.

If you think I'm paranoid -
if I told you a few years ago that the fbi could listen to you through certain cell phones, even when the cell phone is turned off - would you call me paranoid? Look it up:  http://blogs.abcnews.com/theblotter/2006/12/can_you_hear_me.html

watching the tundra

I watched 'the inconvenient truth' and was happy to see that there are things we can do to stop global warming - the only real problem is convincing stupid people who still want to use oil, not to mention those that will loose their power when if we lose our desire for oil.

got it on my TCPView while updating Windows 17.Feb.2007 07:10

Alex Faber rzvvts@gmail.com

Just in case it might help you people figure this one out (i for one would like to get a better grasp on the matter). I was turning the Windows automatic updates on the other day and felt curious who was at the other end of the svchost connections so i ran the ip on  http://aruljohn.com/track.pl and there it was : unknown.Level3.net. Endastory .