norton firewall claims I have outgoing attacks

Printable View

March 31st, 2005, 01:41 AM
qkslvrwolf

norton firewall claims I have outgoing attacks

So, I was watching films on atomfilms, and my norton firewall kept coming up with "http_activePerl_overflow. Well, as this continued, I began to think maybe something was up so I jumped into norton and began fishing around with its logs and settings...(I am very new to net security).....

Anyway, the attacks were originating with my computer, the localhost process, on several different ports (3189, 3177, 3157, etc) against a series of ip addresses all labeled a.as-us.falkag.net, which, as far as I can tell from trying to check and see who it is (which I don't know how to do) appears to be some kind of ad agency (AdSolution), which appears to run some kind of ad software...

So, basically, I guess I'm asking if as script in an ad on a web page could make norton firewall react like that, and if so, should I be worried about it, or just chalk it up to them being, well, dicks?

Cheers!

(btw, any info about how to get started learning to do forensics/info gathering on attackers, or ways to make people stop attacking you would also be appreciated)
March 31st, 2005, 01:46 AM
XTC46

scan your computer for viruses and for adware. alotof the time its stupid little pieces of malware that cause these things to pop up.
March 31st, 2005, 03:35 AM
qkslvrwolf

Sorry, forgot to mention that. I actually came up totally clean, whicih is miraculous. Ad-aware, spybot, and norton.
March 31st, 2005, 03:46 AM
Relyt

Quote:

scan your computer for viruses and for adware

In safe mode. Some of the vermin hide very well!

cheers
March 31st, 2005, 09:36 AM
nihil

Well,

I don't think that your machine is "attacking" anyone as such, as this is typical behaviour of adware/spyware phoning home.

I also do not believe that your AV or antispyware tools will detect anything as Falk AG is a legitimate German company...............

Quote:

So, basically, I guess I'm asking if as script in an ad on a web page could make norton firewall react like that, and if so, should I be worried about it, or just chalk it up to them being, well, dicks?

Yes, yes and yes :D Falk serve up banner ads ajust like mxjads, or whatever they call themselves that do it for AO. Falk have someone who has got it in for them and have been compromised on more than one occasion.

I read a publication called "The Register"...............they suspended Falk not so long ago because they were serving infected banner ads................someone had hacked their site and poisoned them.

Start your spybot in "advanced" mode and use the tools to check out cookies, hosts file, browser helper objects.

You might also try WinPatrol from BillP Studios, and use its tools to confirm what is on your machine.

Good luck :)
March 31st, 2005, 01:23 PM
ByTeWrangler

greeting's

Here is the information on the attack you specified by Norton (symantec)
http://securityresponse.symantec.com..._overflow.html

I am just adding to what nihil said apart from advertisement and banner add's even if you visit a WAREZ site (a web-site which lets you download cracks and serials for your software) have such attacks scripts on their web pages.

A specific example I can give you is a warez site where you get free serials to unlock your software. One of my clients called me up almost every two days saying his machine was infected and he had not installed any new software or even downloaded from any web-site. But he never told me that he visited this warez, site everyday after i would clean his computer of malware. And download serial for a software. He used IE and this site had a way to start Java and install a porn toolbar and eventually trojan's which then infected his machine. He did not have an antivirus on his system (he said he didnt need one and would not like to pay for one).

So the moral of the story is,
1. Have an updated anti-virus and scan your system everday if possible or atleast every alternate day
2. Have a properly configured Firewall. Check the log's for suspecious activity and add attacking IP's to restricted zone. In norton firewall you can add the IP to restricted zone by adding it to Non trusted zone
3. KEEP YOUR SYSTEM UPDATED AND ALL THE SOFTWARE'S INSTALLED ON IT.
4. scan you sytem online at site's like Housecall (http://housecall.trendmicro.com) once a week
5. scan your system with spyware removal software's like Ad-Aware or spy.bot
6. DON"T VISIT WAREZ SITE
7. use a power-user account or limited accoount for surfind the internet.

and in the end if you want SWITCH TO FIREFOX.

hope this help's

Also a good software to collect information about your attacker is Sam Spade. get it from http://www.samspade.org/ssw/download.html
April 12th, 2005, 02:22 AM
danyelson

Hi,

As I had some experience with a lot of a products based on security I can recommend this, here it is what I used.

First of all install a fresh copy of the Microsoft Windows - this is what I use and I recommend especially for windows users. After installing your Windows OS, go and and update immediatelly from www.microsoft.com and check the Windows Update section. Update your system.

After doing this, by having your windows machine updated install those 2 programs :
I use kaspersky antivirus and kaspersky anti-hacker ( anti-hacker is a firewall ), I keep my antivirus updated on 3 hours. Also after installing it is wise to do a full scan virus check on your computer, also the anti-hacker firewall which is very simple to use will notice you for every attack encountered and every attempt of every application to use the internet. Also it is very good to use another security tool like I use Ad-aware Personal which is freeware for personal purpose and you can update it daily.

With these 3 security tools and your Windows system updated you can have a decent protection, but if you want to be sure 99.9 % you can add to my security formula the following thing. Create a VPN account and connect through him when you want to browse the internet, look here for more info www.findnot.com

Connecting through a 128 Bit Encrypted Connection and with those 3 security tools can get you a lot of privacy and security.

Also there are more TIPS and TRICKS in the settings of the Microsoft Windows XP OS like I use...but I think I will write an more detailed security tutorial. Please contact me if you need additional information regarding this security issue.
April 12th, 2005, 09:11 AM
Aspman

Starting with a clean freshly installed system is often a good thing BUT...

You have to get a firewall on the machine BEFORE you go on line. If you do a fresh install and then go online to get your updates you will be nailed before you can download anything.

Before you reformat get a copy of a firewall (something free like Zonealarm will do fine) put it on a CD. Reinstall your OS and get that on first before you install anything else. THEN go online and get your updates.
April 12th, 2005, 03:16 PM
SirDice

Is there a way to verify the exact rule that triggers this alert? It could just be a false positive.
If you cannot check the rule, the only other option is to run a sniffer and monitor this traffic.

Quote:

Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.
Source: http://www.cve.mitre.org/cgi-bin/cve...name=2001-0815

So if you don't see any outgoing/incoming requests that look like this we can safely conclude it's a false positive.
April 13th, 2005, 01:32 AM
dmorgan

These may be two unrelated things. The firewall log sounds like you have adware / spyware on your computer and it is tryng to update it's ads so you can have the most relevant anoyances. :)

Quote:

Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.
Source: http://www.cve.mitre.org/cgi-bin/cv...?name=2001-0815

Are you running a server ? Do you have Active perl ?
April 13th, 2005, 08:30 AM
Goitz

:rolleyes:

I don't know how relevant my post is but...

I use the Norton Security with NAV. So far, I'm quite happy with its performance. Liveupdate happens everytime I go on-line (via dial-up) but it looks like my ISP is masking my true IP address, hence I could not ask Symantec to conduct a true security test on my system.

What I have observed is the sudden rise of Back Orifice 2000 attacks. Maybe it is from the websites I've visited (I do a lot of roaming as I need credible references for my writings every now and then) or the related links they display.

Also, my kids download demo games from Shockwave, Yahoo and from the offerings of Download Accelerator Plus and once installed, some of these games are reported by NS to be "attempting to listen to other connections" which they automatically block as recommended by NS. Then the game fails to execute and instead switches into a "Browser" screen. No harm done, just wasted time and ISP card in downloading.

One thing I do is check into the Windows/Prefetch list and delete those that are no longer needed or used (demo games plant them plenty) and somehow, boot-up time is significantly accelerated.

The news regarding the weaknesses of Windows IE got me worried, though. I've noticed that IE reports frequent errors encountered once I close it. I just hope Norton Security is up to the task of continually blocking intrusions when I'm online.
:p

-G-
April 13th, 2005, 09:46 AM
wiskic10_4

Goitz...
Welcome to AO...

well,

a firewall can only do so much... and be *positive* it's updated... be sure your box is updated (as with the rest of your software), too - running through the Windows updater once doesn't mean you're covered... I'd do it until it can find no more... and I'd hate to say it, because you sound at *least* somewhat savvy - but - a firewall will only block what you *tell* it to block - a simple Windows-based firewall (such as Sygate) will ask you "'such and such' is trying to connect on port "#####" - do you want to accept this connection?" Now, if you're kids have the "clickity click" mentality (as I like to call it, and as most ill-informed users do), you may be allowing (malicious) programs to run that you have no idea about...

Also - watch your kids games - *especially* if they're downloading them from the internet - a *ton* of free software d/l from the Internet is *loaded* w/ malware...

I've never encountered an ISP that "masked" its clients IPs in my personal experience (though I know it *could* happen - you're sure you're not grabbing a new IP everytime you sign on???)... have you tried TrendMicro Housecall or PandaScan? (online virus-scanners)...

I'd recommend that you run a few malware removal programs in SafeMode (such as Spyware S & D and Adaware) and see what you find... it's also a good idea to keep your Temporary Internet Files to a minimum (I usually select 0 MB under Internet Options, and delete *all* the other files), and uninstall any programs you're not familiar with...

If you're system is *still* giving you problems, download HijackThis! and post your log here or on a similar forum (but please - make it an attachment rather than just posting it straight into the message space...)

Anyway - that should get you off to a good start...

-Wiski

EDIT: As far as I know, Download Accelerator Plus is just one of the many malware-pretending-to-be-useful-pain-in-the-ass-to-remove programs... I'd scrap it... 56k is 56k... If someone else can vouch for it, I'll be happy to withdraw this edit... but a quick Google search shows:
http://www.google.com/search?hl=en&q...=Google+Search
April 13th, 2005, 10:00 AM
GONEin62nd

Hi!

Quote:

Also, my kids download demo games from Shockwave, Yahoo and from the offerings of Download Accelerator Plus and once installed, some of these games are reported by NS to be "attempting to listen to other connections" which they automatically block as recommended by NS.

- AFAIK, most of these FREE stuffs includes ads and/or tracking schemes used for surveys and advertisement. And such software like DAP are bundled with ads also. Don't worry about your Firewall, it is doing its job on blocking such connection.

-GONEin62nd
April 13th, 2005, 03:44 PM
Goitz

Thanks for the tips and heads-up. Will look into these aspects, too. That's also part of the reason why I hesitate to avail of the downloads as they may conflict with the NS and I wouldn't know how to go about resolving whatever friction that arises.

... Heck, my four-year tot is the quickest to the click and that also causes a problem.

... And yes, it looks like it is my ISP that assigns new IP addresses whenever I go on-line. I once audited my dial-up status and found different IP assignment everytime I logged on.

Thanks, again.