portland independent media center  
images audio video
newswire article commentary global

corporate dominance | education | technology

What ya goin' to do when you find level3.net snooping around in your computer!

There has been afew times when this and the other resolver server attempted to add and/or delete files from my computer. These creeps at level3.net may be peering into your personal computer since you have to go through them to anywhere on the net here in the Northwest.
You may be thinking, maybe I don't know what I am talking about here? Guess again Folks! If you on the internet you have to go through level3.net if you live here in the Northwest. The two servers are: "209.244.0.3 and 209.244.0.4"

209.244.0.3

Whois has started ...


OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

NetRange: 209.244.0.0 - 209.247.255.255
CIDR: 209.244.0.0/14
NetName: LEVEL3-CIDR
NetHandle: NET-209-244-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-05-22
Updated: 2001-05-30

TechH?andle: LC-ORG-ARIN
TechName: level Communications
TechPhone: +1-877-453-8353
TechEmail:  ipaddressing@level3.com

OrgAbuseHandle: APL8-ARIN
OrgAbuseName: Abuse POC LVLT
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail:  abuse@level3.com

OrgTechHandle: TPL1-ARIN
OrgTechName: Tech POC LVLT
OrgTechPhone: +1-877-453-8353
OrgTechEmail:  ipaddressing@level3.com

OrgTechHandle: ARINC4-ARIN
OrgTechName: ARIN Contact
OrgTechPhone: +1-800-436-8489
OrgTechEmail:  arin-contact@genuity.com

# ARIN WHOIS ?database, last updated 2004-12-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

hmm 11.Dec.2004 17:17

a user

What is your proof that it tried to "add or delete" files from you computer? Level 3 is one of the larger backbone providers.

Kindly support your conclusion with relevant data 11.Dec.2004 17:20

Skeptic

What is the basis for concluding that this server was attempting to add or delete files on your computer? All you've presented is a firewall log indicating that you received packets from that IP.

The former does not necessarily follow from the latter. In fact, since your post doesn't show the incoming port numbers, it's impossible even to guess at what these connections were about, much less to support a contention that anyone was trying to "mess around" with your computer.

These links:

 http://www.samspade.org/d/persfire.html
 http://www.samspade.org/d/firewalls.html

may prove informative. I'd also recommend a good look round at  http://www.grc.com . Read the Shields Up pages.

BTW, the vast, vast majority of unsolicted packets are coming either from misconfigured routers and servers, cracker-wannabees running port scanners, spammers looking for compromised boxes to use as relays for spam or from computers suffering from a network-aware worm infection. It's just as well to block all that shit, but there's no point in going "eek! eek! The evil PTB are trying to tap my computer!" without any evidence that directly supports that conclusion.

no one in particular 11.Dec.2004 17:29

noone@example.com

Uh, you don't know what you're talking about. Their nameserver tried to connect to a DNS server on your computer on port 53 (the "domain" port). Why? It's not clear. Perhaps someone has incorrectly listed your IP address as a nameserver for some domain.

But connecting to port 53 would not be a very effective way to "add and/or delete files from my computer", since the domain port doesn't have anything to do with adding and/or deleting files.

It's good to use strong firewall software like this, but if you don't know what you're talking about, it's pretty dangerous to start ascribing malicious intent to people just because of some misguided connection attempts.

Here's the proof 12.Dec.2004 22:41

Internet user from the northwest

You asked for proof anout this and here it is. Both servers tried to gain access to protected areas on my hard drive!

Like I stated, if you are on the net anywhere from the borthwest you have to go through them to get there! That is the only way you can go online, you can not get around these servers.

Granted, the dates show them snooping around and attempting to get into areas on my hard drive and were placed in the stop list by my firewall application not myself.

Take care and try to protect yourself as much as possible.

interesting 13.Dec.2004 11:13

well...

It says "outgoing" data there. Usually on a firewall that means something already on your pc (Spyware/virus) it attempting outbound communication, right?

Ignorant 13.Dec.2004 13:40

Expert

WTF is this?

Maybe you could indicate what this was a screenshot *of*. Like what program is popping that dialog up. That might help.

If it's like Zonealarm, you're freaking out over DNS queries from the resolver library called by some app on your machine to the suspiciously named host: resolver1.level3.net

Go look at /etc/resolv.conf, I bet they "hacked" your machine and put those IPs in there too.

It looks like you're running OSX. It's based on BSD, and doesn't have all the bloaty RPC and Filesharing crap turned on by default like MS Windows, and it certainly dosn't run a DNS server out out of the box.

In the meantime, more paranoid tinfoil-hat ranting from IMC. Whoop-de-doo.

OH GNO SUM1 EEZ HAXORING MEEE BY FORCING ME TO LOOK UP IP ADDRUZZEZZ USING THAR DNS SERV0RZ!@$(@!$(831$)(*&#@

EYE MUST REB00T TO SAV TEH INTERNETS@#*&$!

Subverted support 13.Dec.2004 16:22

Skeptic

The IPs 209.244.0.3 and 209.244.0.4 resolve to resolver1.level3.net and resolver2.level3.net respectively. That's an important clue- a resolver is software that queries a DNS server to resolve a domain name to an IP. A client, like your computer, needs only resolver capabilities; a nameserver usually needs to function both as server and as resolver, for obtaining NS information that it doesn't have locally from another nameserver.

Both of these servers appear to be part of Level 3's name service system- at least they both respond to nslookup and dig queries. The corresponding nameservers appear to be ns1.level3.net and ns2.level3.net at 209.244.0.1 and 209.244.0.2 respectively; these also respond to a dig query, but with more information.

As was pointed out above, the firewall log entries you posted appear to reflect an incoming DNS query.

So, what we have here is completely consistent with DNS requests being sent from Level 3's name service system. While it's a bit of a mystery why your IP would be associated with a nameserver, (although this sort of thing isn't terribly rare) this doesn't provide any direct support for the contention that Level 3 was trying to muck about with your computer.

The "tried to retrieve protected data" is probably a canned message that your firewall throws up in response to any incoming query message, such as a NETBIOS NAME Request or a DNS query. As samspade.org points out, it's in the interest of the firewall vendor to throw up lots of alerts and to couch them in the most alarming terms possible. That's part of the game of salesmanship.

Sorry, but not only does your evidence not support your conclusion, but it actually supports a very different one.

Unfortunately, that's still not enough information to draw a conclusion 13.Dec.2004 23:30

Skeptic

As was pointed out above, the firewall log screenshots seem to indicate that these incoming connections were directed to a port which is normally used for DNS requests. Unfortunately, your screenshots don't indicate what the source and destination ports were, which would make clear whether the message was a DNS reply, a DNS query or some other sort of message altogether.

The firewall alert suggests that it was a query, since any request for information, like a DNS or NETBIOS NAME query, would be seen as trying to retrieve data. The fact that the RDNS of those two ips has "resolver" in the hostname also suggests a query, since a resolver is software that requests a translation of an URL to an IP address from a nameserver. Most nameservers have resolver capabilities, since they have to query other nameservers to obtain information that they don't happen to have locally.

The firewall alert is probably a generic message that is thrown up in response to any incoming query of any type.

An apparent DNS query coming from boxes that are clearly part of Level 3's name service system (they both respond to nslookup and dig requests) might be a bit mysterious, but it doesn't on its face constitute proof of anything nefarious going on. There have apparently been worms that use port 53 to try to propagate themselves, but one wouldn't expect to see that coming from a major backbone provider's nameservers unless those boxes happened to be infected.

The contention that Level 3 is trying to fuck with your computer simply doesn't find any direct support in what's been posted here. That doesn't necessarily mean that you're wrong- it's possible to arrive at a correct conclusion for the wrong reasons- but it does mean that you're jumping to a conclusion without sufficient support.

Name server is attacking you? 17.Dec.2004 17:06

Just another Geek quartz001@hotmail.com

I would like to ask what YOU were doing when you got this alert? Where you surfing or emailing? You don't say whom you go through for an ISP. Or if your ISP uses Level 3 name servers, this alert could have come from you emailing someone, who happens to have reverse DNS on all incoming mail to make sure you're not a spammer (it doesn't state that you have a grudge against this provider because you have been warned about unacceptable use policies being broken?)

A good question for you and all, is what do you have on your PC that a large company would need? Unless your paranoid against big brother (doesn't mean he isn't out to get you), or your a Freaking Genius with all sorts of plans for Cool gadgets stashed away on your hard-drive I don't think they really care what your doing... .Unless it's illegal activity, now you might have something to worry about. Have you been sending threatening hate emails to people? You into the weird stuff sexually? (Come on give us the dirt) don't just say that a Company is after you show proof. DNS servers aren't your enemy you need them and outgoing data says your making the request, not THEM. I don't know about you but I don't know all the IP's of all my favorite sites. Keep up the conspiracy theory, maybe you will get someone else besides you to believe it... but if I were you I'd come up with some supporting facts first (But don't forget to wear the tinfoil on your head while thinking of this or they might read your mind and know what your up to!) In reality I would worry more about software providers than internet providers, because you're installing anything they write onto your system, and giving them full control of your PC. I don't see you ranting about how intel turned on chip serial # tracking or all sites have cookies (talk about someone tracking you or snooping around your PC). There is more to life than worrying about a large company, worry about Mr. Wizard hacking your box and collecting enough info about you to consider Identity theft. I worry more about who I don't see than who I do, take it from the Navy Seals if your seen --- mission over.

In closing "get a life outside your head" it might even be real!

I do know what I am writing about here. 18.Dec.2004 21:51

internet user from the northwest

If collecting the news from around the world is a crime? I guess I'm guilty. I don't e-mail, I don't surf through pron sites or anything else. I just gather the news of the day archive it. What I do know about dns reguests is this that they are running in the back ground and do not show up in firewall logs. I have logs that show this type of activity, which is different than the one I used here!

You can't sneak in and not be found out, because either you use a keyboard or spoken word, which translates into 1's and 0's for any computer to respond to commands and can be found.

"I worry more about who I don't see than who I do, take it from the Navy Seals if your seen --- mission over. " I see different entries from my firewall log than meets the eye. I won't go into what type of computer nor will I give out the name of the software in guestion but rest assured folks, this did happen once, but not again.

As far as the screenshots i posted, the protected area was my browser cache. They were after the images I use once in while to make a statement when writing to congressional members of congress, or local law enforcement. I don't waste my time surfing through pron sites, nor do I send out hate e-mails either. I don't do anything but gather news of the day and archive it to disk.