Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: norton firewall claims I have outgoing attacks

  1. #1
    Junior Member
    Join Date
    Mar 2005

    Post norton firewall claims I have outgoing attacks

    So, I was watching films on atomfilms, and my norton firewall kept coming up with "http_activePerl_overflow. Well, as this continued, I began to think maybe something was up so I jumped into norton and began fishing around with its logs and settings...(I am very new to net security).....

    Anyway, the attacks were originating with my computer, the localhost process, on several different ports (3189, 3177, 3157, etc) against a series of ip addresses all labeled a.as-us.falkag.net, which, as far as I can tell from trying to check and see who it is (which I don't know how to do) appears to be some kind of ad agency (AdSolution), which appears to run some kind of ad software...

    So, basically, I guess I'm asking if as script in an ad on a web page could make norton firewall react like that, and if so, should I be worried about it, or just chalk it up to them being, well, dicks?


    (btw, any info about how to get started learning to do forensics/info gathering on attackers, or ways to make people stop attacking you would also be appreciated)

  2. #2
    Senior Member
    Join Date
    May 2003
    scan your computer for viruses and for adware. alotof the time its stupid little pieces of malware that cause these things to pop up.
    Everyone is going to die, I am just as good of a reason as any.


  3. #3
    Junior Member
    Join Date
    Mar 2005
    Sorry, forgot to mention that. I actually came up totally clean, whicih is miraculous. Ad-aware, spybot, and norton.

  4. #4
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest
    scan your computer for viruses and for adware
    In safe mode. Some of the vermin hide very well!

    Connection refused, try again later.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    I don't think that your machine is "attacking" anyone as such, as this is typical behaviour of adware/spyware phoning home.

    I also do not believe that your AV or antispyware tools will detect anything as Falk AG is a legitimate German company...............

    So, basically, I guess I'm asking if as script in an ad on a web page could make norton firewall react like that, and if so, should I be worried about it, or just chalk it up to them being, well, dicks?
    Yes, yes and yes Falk serve up banner ads ajust like mxjads, or whatever they call themselves that do it for AO. Falk have someone who has got it in for them and have been compromised on more than one occasion.

    I read a publication called "The Register"...............they suspended Falk not so long ago because they were serving infected banner ads................someone had hacked their site and poisoned them.

    Start your spybot in "advanced" mode and use the tools to check out cookies, hosts file, browser helper objects.

    You might also try WinPatrol from BillP Studios, and use its tools to confirm what is on your machine.

    Good luck

  6. #6
    Join Date
    Aug 2004

    Here is the information on the attack you specified by Norton (symantec)

    I am just adding to what nihil said apart from advertisement and banner add's even if you visit a WAREZ site (a web-site which lets you download cracks and serials for your software) have such attacks scripts on their web pages.

    A specific example I can give you is a warez site where you get free serials to unlock your software. One of my clients called me up almost every two days saying his machine was infected and he had not installed any new software or even downloaded from any web-site. But he never told me that he visited this warez, site everyday after i would clean his computer of malware. And download serial for a software. He used IE and this site had a way to start Java and install a porn toolbar and eventually trojan's which then infected his machine. He did not have an antivirus on his system (he said he didnt need one and would not like to pay for one).

    So the moral of the story is,
    1. Have an updated anti-virus and scan your system everday if possible or atleast every alternate day
    2. Have a properly configured Firewall. Check the log's for suspecious activity and add attacking IP's to restricted zone. In norton firewall you can add the IP to restricted zone by adding it to Non trusted zone
    4. scan you sytem online at site's like Housecall (http://housecall.trendmicro.com) once a week
    5. scan your system with spyware removal software's like Ad-Aware or spy.bot
    7. use a power-user account or limited accoount for surfind the internet.

    and in the end if you want SWITCH TO FIREFOX.

    hope this help's

    Also a good software to collect information about your attacker is Sam Spade. get it from http://www.samspade.org/ssw/download.html
    Parth Maniar,

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Junior Member
    Join Date
    Apr 2005

    As I had some experience with a lot of a products based on security I can recommend this, here it is what I used.

    First of all install a fresh copy of the Microsoft Windows - this is what I use and I recommend especially for windows users. After installing your Windows OS, go and and update immediatelly from www.microsoft.com and check the Windows Update section. Update your system.

    After doing this, by having your windows machine updated install those 2 programs :
    I use kaspersky antivirus and kaspersky anti-hacker ( anti-hacker is a firewall ), I keep my antivirus updated on 3 hours. Also after installing it is wise to do a full scan virus check on your computer, also the anti-hacker firewall which is very simple to use will notice you for every attack encountered and every attempt of every application to use the internet. Also it is very good to use another security tool like I use Ad-aware Personal which is freeware for personal purpose and you can update it daily.

    With these 3 security tools and your Windows system updated you can have a decent protection, but if you want to be sure 99.9 % you can add to my security formula the following thing. Create a VPN account and connect through him when you want to browse the internet, look here for more info www.findnot.com

    Connecting through a 128 Bit Encrypted Connection and with those 3 security tools can get you a lot of privacy and security.

    Also there are more TIPS and TRICKS in the settings of the Microsoft Windows XP OS like I use...but I think I will write an more detailed security tutorial. Please contact me if you need additional information regarding this security issue.

  8. #8
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Starting with a clean freshly installed system is often a good thing BUT...

    You have to get a firewall on the machine BEFORE you go on line. If you do a fresh install and then go online to get your updates you will be nailed before you can download anything.

    Before you reformat get a copy of a firewall (something free like Zonealarm will do fine) put it on a CD. Reinstall your OS and get that on first before you install anything else. THEN go online and get your updates.

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    Is there a way to verify the exact rule that triggers this alert? It could just be a false positive.
    If you cannot check the rule, the only other option is to run a sniffer and monitor this traffic.

    Buffer overflow in PerlIS.dll in Activestate ActivePerl and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.
    Source: http://www.cve.mitre.org/cgi-bin/cve...name=2001-0815
    So if you don't see any outgoing/incoming requests that look like this we can safely conclude it's a false positive.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Dec 2004
    These may be two unrelated things. The firewall log sounds like you have adware / spyware on your computer and it is tryng to update it's ads so you can have the most relevant anoyances.

    Buffer overflow in PerlIS.dll in Activestate ActivePerl and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.
    Source: http://www.cve.mitre.org/cgi-bin/cv...?name=2001-0815
    Are you running a server ? Do you have Active perl ?
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts