norton firewall claims I have outgoing attacks

[qkslvrwolf]

So, I was watching films on atomfilms, and my norton firewall kept coming up with "http_activePerl_overflow. Well, as this continued, I began to think maybe something was up so I jumped into norton and began fishing around with its logs and settings...(I am very new to net security).....

Anyway, the attacks were originating with my computer, the localhost process, on several different ports (3189, 3177, 3157, etc) against a series of ip addresses all labeled a.as-us.falkag.net, which, as far as I can tell from trying to check and see who it is (which I don't know how to do) appears to be some kind of ad agency (AdSolution), which appears to run some kind of ad software...

So, basically, I guess I'm asking if as script in an ad on a web page could make norton firewall react like that, and if so, should I be worried about it, or just chalk it up to them being, well, dicks?

Cheers!

(btw, any info about how to get started learning to do forensics/info gathering on attackers, or ways to make people stop attacking you would also be appreciated)

[XTC46]

scan your computer for viruses and for adware. alotof the time its stupid little pieces of malware that cause these things to pop up.

[qkslvrwolf]

Sorry, forgot to mention that. I actually came up totally clean, whicih is miraculous. Ad-aware, spybot, and norton.

[Relyt]

scan your computer for viruses and for adware

In safe mode. Some of the vermin hide very well!

cheers

[nihil]

Well,

I don't think that your machine is "attacking" anyone as such, as this is typical behaviour of adware/spyware phoning home.

I also do not believe that your AV or antispyware tools will detect anything as Falk AG is a legitimate German company...............

So, basically, I guess I'm asking if as script in an ad on a web page could make norton firewall react like that, and if so, should I be worried about it, or just chalk it up to them being, well, dicks?

Yes, yes and yes Falk serve up banner ads ajust like mxjads, or whatever they call themselves that do it for AO. Falk have someone who has got it in for them and have been compromised on more than one occasion.

I read a publication called "The Register"...............they suspended Falk not so long ago because they were serving infected banner ads................someone had hacked their site and poisoned them.

Start your spybot in "advanced" mode and use the tools to check out cookies, hosts file, browser helper objects.

You might also try WinPatrol from BillP Studios, and use its tools to confirm what is on your machine.

Good luck

[ByTeWrangler]

greeting's

Here is the information on the attack you specified by Norton (symantec)
http://securityresponse.symantec.com..._overflow.html

I am just adding to what nihil said apart from advertisement and banner add's even if you visit a WAREZ site (a web-site which lets you download cracks and serials for your software) have such attacks scripts on their web pages.

A specific example I can give you is a warez site where you get free serials to unlock your software. One of my clients called me up almost every two days saying his machine was infected and he had not installed any new software or even downloaded from any web-site. But he never told me that he visited this warez, site everyday after i would clean his computer of malware. And download serial for a software. He used IE and this site had a way to start Java and install a porn toolbar and eventually trojan's which then infected his machine. He did not have an antivirus on his system (he said he didnt need one and would not like to pay for one).

So the moral of the story is,
1. Have an updated anti-virus and scan your system everday if possible or atleast every alternate day
2. Have a properly configured Firewall. Check the log's for suspecious activity and add attacking IP's to restricted zone. In norton firewall you can add the IP to restricted zone by adding it to Non trusted zone
3. KEEP YOUR SYSTEM UPDATED AND ALL THE SOFTWARE'S INSTALLED ON IT.
4. scan you sytem online at site's like Housecall (http://housecall.trendmicro.com) once a week
5. scan your system with spyware removal software's like Ad-Aware or spy.bot
6. DON"T VISIT WAREZ SITE
7. use a power-user account or limited accoount for surfind the internet.

and in the end if you want SWITCH TO FIREFOX.

hope this help's


Also a good software to collect information about your attacker is Sam Spade. get it from http://www.samspade.org/ssw/download.html

[danyelson]

Hi,

As I had some experience with a lot of a products based on security I can recommend this, here it is what I used.

First of all install a fresh copy of the Microsoft Windows - this is what I use and I recommend especially for windows users. After installing your Windows OS, go and and update immediatelly from www.microsoft.com and check the Windows Update section. Update your system.

After doing this, by having your windows machine updated install those 2 programs :
I use kaspersky antivirus and kaspersky anti-hacker ( anti-hacker is a firewall ), I keep my antivirus updated on 3 hours. Also after installing it is wise to do a full scan virus check on your computer, also the anti-hacker firewall which is very simple to use will notice you for every attack encountered and every attempt of every application to use the internet. Also it is very good to use another security tool like I use Ad-aware Personal which is freeware for personal purpose and you can update it daily.

With these 3 security tools and your Windows system updated you can have a decent protection, but if you want to be sure 99.9 % you can add to my security formula the following thing. Create a VPN account and connect through him when you want to browse the internet, look here for more info www.findnot.com

Connecting through a 128 Bit Encrypted Connection and with those 3 security tools can get you a lot of privacy and security.

Also there are more TIPS and TRICKS in the settings of the Microsoft Windows XP OS like I use...but I think I will write an more detailed security tutorial. Please contact me if you need additional information regarding this security issue.

[Aspman]

Starting with a clean freshly installed system is often a good thing BUT...

You have to get a firewall on the machine BEFORE you go on line. If you do a fresh install and then go online to get your updates you will be nailed before you can download anything.

Before you reformat get a copy of a firewall (something free like Zonealarm will do fine) put it on a CD. Reinstall your OS and get that on first before you install anything else. THEN go online and get your updates.

[SirDice]

Is there a way to verify the exact rule that triggers this alert? It could just be a false positive.
If you cannot check the rule, the only other option is to run a sniffer and monitor this traffic.

Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.
Source: http://www.cve.mitre.org/cgi-bin/cve...name=2001-0815

So if you don't see any outgoing/incoming requests that look like this we can safely conclude it's a false positive.

[dmorgan]

These may be two unrelated things. The firewall log sounds like you have adware / spyware on your computer and it is tryng to update it's ads so you can have the most relevant anoyances.

Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.
Source: http://www.cve.mitre.org/cgi-bin/cv...?name=2001-0815

Are you running a server ? Do you have Active perl ?