Increased Attacks Caught By Norton

Log Out | Lost Password? | Topics | Search | Who's Online Contact | Register | My Profile | SO home | MOL home

Thread Originator Last Poster Posts Pages Last Post   Closed: New threads not accepted on this page

Author Message   Just The Aunt Supporter Username: Auntof13 Post Number: 4024 Registered: 1-2004 Posted on Thursday, February 16, 2006 - 2:10 pm:        Has anyone noticed a sudden rise in the number of attacks Norton Firewall has been catching? All of a sudden in the past few days, I've gone from only getting a few every couple of months or so to a very noticeable amount each day. I'd say between 25 and 50. The only changes I've made with software was to download Spybot, Adaware, and Registry Mechanic. I also downloaded AOL's Virus Stuff. I didn't have problems the last time I had these things on the computer. Should I try a System Restore? I have a screen shot of one of the attacks if that helps. But was reluctant putting that on the board as I'm pretty sure my ISP access number is on it. Any suggestions would be appreciated.   Joan Supporter Username: Joancrystal Post Number: 7007 Registered: 5-2001 Posted on Thursday, February 16, 2006 - 5:12 pm:        If the fire wall is reporting the attacks and blocking them, you don't have a problem. It's the virus attacks which don't get reported that cause the problem. It could simply be that the virus attack notification setting on your newly installed anti-virus software is higher than the setting you were using for your old anti-virus software. I would check that out before becoming overly concerned about this.   Case Citizen Username: Case Post Number: 1147 Registered: 2-2005 Posted on Thursday, February 16, 2006 - 5:38 pm:        No no no, no system restore. You're probably fine; it could be that some little script kiddie just got his very first cable modem and he's in your neighborhood! Don't worry about it just yet, but keep an eye on it.   monster Supporter Username: Monster Post Number: 2134 Registered: 7-2002 Posted on Thursday, February 16, 2006 - 6:14 pm:        Take that screen shot, and also make a copy of Norton's log file for when the attacks occur and send them to your ISP's abuse email address, which I've found generally to be abuse@ISPname.com.net.whatever, let them know that you are most unhappy, there may also be a link or form on the ISP's webpage.   Just The Aunt Supporter Username: Auntof13 Post Number: 4032 Registered: 1-2004 Posted on Thursday, February 16, 2006 - 9:55 pm:        Thanks all! I will continue to take screen shots. (I only took two so far). Strange though I uninstalled Spyhunter and made sure the Windoes firewall was off. Since I did that a couple of hours ago, I haven't had an attack.   Just The Aunt Supporter Username: Auntof13 Post Number: 4033 Registered: 1-2004 Posted on Thursday, February 16, 2006 - 10:18 pm:        I spoke too soon. I just downloaded a song for one of my nephews from iTunes. Not three minutes later, I got an alert! AAAAH!   Just The Aunt Supporter Username: Auntof13 Post Number: 4035 Registered: 1-2004 Posted on Thursday, February 16, 2006 - 11:06 pm:        This was what the latest attack says: ISP Intruder 68.239.77.10 (1742) MS PnP QueryResConflist BO Anyone know what this means?   Case Citizen Username: Case Post Number: 1151 Registered: 2-2005 Posted on Thursday, February 16, 2006 - 11:33 pm:        Sigh. OK, these aren't false positives - that's a real attack (though it may be being perpetrated by a moron script kiddy, so don't panic TOO much just yet). The only thing that makes me feel a little better about this one is the following passage from the description posted below: Windows XP SP2 and Windows Server 2003 require an attacker to have local access to an affected computer for successful exploitation. As someone already said, the firewall is catching this attack and preventing it (good news). I'll post this, but give me a sec and I'll see who else you can send your security log to. I'm assuming that the IP address given in the report is the attacker's IP address. MS PnP QueryResConflist BO Severity: High This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. Description This signature detects attempts to exploit a buffer overflow vulnerability in the Windows Plug and Play. Additional Information Microsoft Windows Plug and Play (PnP) service is used by the operating system to detect new hardware. The PnP service is prone to a buffer overflow vulnerability. This vulnerability presents itself because the application does not perform boundary checks prior to copying user-supplied data into sensitive process buffers. Specifically, this issue takes place when the PnP service handles malformed messages containing excessive data. These messages are passed to a finite sized buffer, triggering an overflow condition and facilitating memory corruption. A successful attack may result in arbitrary code execution, which can allow an attacker to gain SYSTEM privileges. This vulnerability facilitates local privilege escalation and unauthorized remote access depending on the underlying operating system. A remote unauthenticated attacker can exploit this issue on Windows 2000. It is conjectured that on Windows 2000, an attacker would likely exploit this issue using NULL session enumeration to gain access. On Windows XP SP1 a remote attacker must authenticate over RPC to exploit this issue. Windows XP SP2 and Windows Server 2003 require an attacker to have local access to an affected computer for successful exploitation. Microsoft has reported that other protocols such as Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) may be vulnerable to this issue as well. This has not been confirmed. Reports indicate that this issue may lend itself to the development of self-propagating malicious code due to the lack of user interaction and authentication required for exploitation against Windows 2000. ** A worm exploiting this vulnerability has been reported in the wild. Users are advised to deploy patches or implement appropriate mitigation - such as blocking TCP port 445 at the network boundary - against the exploitation of this vulnerability. The various families of malware exploiting this vulnerability include; Zotob, Esbot, Spybot, Tilebot, Bobox, Reattle, Randex and Codbot   Case Citizen Username: Case Post Number: 1152 Registered: 2-2005 Posted on Thursday, February 16, 2006 - 11:36 pm:        Regardless of who your ISP is, also send a copy to : abuse@verizon.net OrgName: Verizon Internet Services Inc. OrgID: VRIS Address: 1880 Campus Commons Dr City: Reston StateProv: VA PostalCode: 20191 Country: US NetRange: 68.236.0.0 - 68.239.255.255 CIDR: 68.236.0.0/14 NetName: VIS-68-236 NetHandle: NET-68-236-0-0-1 Parent: NET-68-0-0-0-0 NetType: Direct Allocation NameServer: NS1.BELLATLANTIC.NET NameServer: NS2.BELLATLANTIC.NET NameServer: NS2.VERIZON.NET NameServer: NS4.VERIZON.NET Comment: Please send all abuse reports to abuse@verizon.net. Comment: DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered. RegDate: 2003-07-18 Updated: 2005-04-21 RNOCHandle: ZV20-ARIN RNOCName: Verizon Internet Services RNOCPhone: +1-703-295-4583 RNOCEmail: IPNMC@gnilink.net OrgAbuseHandle: VISAB-ARIN OrgAbuseName: VIS Abuse OrgAbusePhone: +1-214-513-6711 OrgAbuseEmail: abuse@verizon.net OrgTechHandle: ZV20-ARIN OrgTechName: Verizon Internet Services OrgTechPhone: +1-703-295-4583 OrgTechEmail: IPNMC@gnilink.net # ARIN WHOIS database, last updated 2006-02-16 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database   Just The Aunt Supporter Username: Auntof13 Post Number: 4040 Registered: 1-2004 Posted on Friday, February 17, 2006 - 6:43 am:        Case I am uninstalling Spybot as soon as I get home! Thanks!   Case Citizen Username: Case Post Number: 1155 Registered: 2-2005 Posted on Friday, February 17, 2006 - 9:14 am:        Actually, Spybot Search and Destroy is not your problem here - please do NOT uninstall it! Feel free to send me a private message (or use my 'throwaway' email account, divemaster@optonline.net) to contact me and we can discuss this.   Just The Aunt Supporter Username: Auntof13 Post Number: 4042 Registered: 1-2004 Posted on Friday, February 17, 2006 - 11:08 am:        Can someone please tell me what 'Visual Tracking' is and how I access it? Also, I just realized for some reason the other day I changed all my settings to 'defaut.' Could that be my problem? I'm pretty sure my problems started after this.   Tom Reingold Supporter Username: Noglider Post Number: 12583 Registered: 1-2003 Posted on Friday, February 17, 2006 - 11:11 am:        Yes, probably. You probably set it to the way it is out of the box, telling it to forget everything you have taught it since you installed it. So you have to teach it again over the next few weeks. Case, a new kid "next door" doesn't have to be close, since cablevision addresses are public (I think). The evil kid could be anywhere on the planet.   Just The Aunt Supporter Username: Auntof13 Post Number: 4043 Registered: 1-2004 Posted on Friday, February 17, 2006 - 11:23 am:        Too late. I uninstalled Spybot because it was mentioned in the information. then took off Adaware and Register Medic (or whatever it was called). I have to go with one of my sisters to meet another sister at the cemetery. I'm going to send you a PL when I get back. Thanks.   Case Citizen Username: Case Post Number: 1157 Registered: 2-2005 Posted on Friday, February 17, 2006 - 1:01 pm:        Ah, but on a cable segment its a lot easier to find victims (unlike a DSL connection which is somewhat more isolated than a coax system).   Dave Supporter Username: Dave Post Number: 8697 Registered: 4-1997 Posted on Friday, February 17, 2006 - 1:25 pm:        Interesting. Why is that?   Case Citizen Username: Case Post Number: 1158 Registered: 2-2005 Posted on Friday, February 17, 2006 - 2:08 pm:        Cable is a shared environment, a lot like the old original Ethernet (that was originally deployed on one long piece of coax with vampire taps).   Tom Reingold Supporter Username: Noglider Post Number: 12586 Registered: 1-2003 Posted on Saturday, February 18, 2006 - 12:39 am:        I could be wrong, but I don't think the Verizon firewall allows inbound connections. The cablevision and comcast ones do.   Case Citizen Username: Case Post Number: 1160 Registered: 2-2005 Posted on Saturday, February 18, 2006 - 1:34 am:        No idea - I run my own Cisco systems here at the house...   Ligeti Citizen Username: Ligeti Post Number: 587 Registered: 7-2002 Posted on Saturday, February 18, 2006 - 8:16 am:        When you design your life around computers, wireless networks and online "communication," this is what happens. You might as well just buy prime time TV spots promoting your credit card and social security numbers, and get it over with. Best to put the emphasis on low-tech activities such as reading books, newspapers, encyclopedias, The NY Times Almanac, using the library and sending letters (which you actually have to put some thought into). These are all far more useful and accurate resources than the Internet. The Internet is the DREAM weapon of criminals, Big Brother and i.d. thieves. Reject obsession with computers, cellphones, Blackbarries, and Wikipedia (silly, useless).   Joan Supporter Username: Joancrystal Post Number: 7015 Registered: 5-2001 Posted on Saturday, February 18, 2006 - 8:21 am:        Ligeti: How does your suggestion help resolve JTA's present problem with firewall attacks? JTA: Can you reinstall the three programs you removed from your computer? It is a good idea to have them, especially since they seemed to be providing you with some benefit in controling viruses and spyware.   Just The Aunt Supporter Username: Auntof13 Post Number: 4046 Registered: 1-2004 Posted on Saturday, February 18, 2006 - 8:47 am:        I have a Verizon connection. It's strange since I removed all of that I haven't had a problem. I think I remember problems last year when I tried the AOL Security Pack. It wasn't compatible with Norton and the other things. If I could figure out how to uninstall the AOL Security Pack I would. I don't want to have to uninstall AOL completely as I don't want to loose my mail etc. I'm not sure having the programs I just took off really helped me. After doing scans with them; I had no way to remove or block what was caught without buying the full product. I have upgraded Norton I'm going to install this afternoon. I did notice something I didn't notice before, in Norton there is an option where I can view what seems like reports of attempted attacks. I'm trying to figure out if there is a way to print it. Screen shots are a pain because I can get only half of each one.   Joan Supporter Username: Joancrystal Post Number: 7017 Registered: 5-2001 Posted on Saturday, February 18, 2006 - 9:48 am:        JTA: You don't really know you have a security problem on line unless your security software tells you that you do. The "attacks" you have been seeing reported by your firewall recently may mean that you installed more sensitive or up-to-date software rather than that there has been any change in the attacks. It may also be that your firewall attack report sensitivity settings are higher than they used to be, thus you are getting more alert messages. This is especially likely to be the case if you have seen a sudden decrease in attack notifications now that you have reverted back to your former anti-virus software. When I first updated Norton, I started getting a lot of firewall messages that this thing or that was trying to access my machine. The "culprits" included incoming e-mail, scheduled updates, and other computer functions which I wanted the computer to be able to perform on line. Norton almost always began by recommending that these serious threats be blocked every time they occurred. Gradually, Norton "learned" that some operations were okay and set definitions for them. You should do the same with your Norton so you can better tell the "not to worry" alerts from the real threats to your system. You do not have to pay anything to run the adaware and spybot programs and both will allow for free updates. You don't even have to be on line to run them. Check the on-line help for each program on how to use the program. Paid versions include automatic updates and other features which you don't really need as long as you remember to search for updates on a regular basis.   Case Citizen Username: Case Post Number: 1161 Registered: 2-2005 Posted on Saturday, February 18, 2006 - 11:17 am:        Gee, speaking of 'silly' and 'useless'.... .. nah. Too easy.   Just The Aunt Supporter Username: Auntof13 Post Number: 4079 Registered: 1-2004 Posted on Wednesday, February 22, 2006 - 12:16 am:        Update: Since I removed all those programs mentioned above the other day I haven't had anymore attack notices. I plan to reinstall them on each day, beginning tomorrow. Maybe this will help determine where the problem is occuring...   Case Citizen Username: Case Post Number: 1174 Registered: 2-2005 Posted on Wednesday, February 22, 2006 - 9:10 am:        Just to clarify - you haven't removed Norton, right?   Just The Aunt Supporter Username: Auntof13 Post Number: 4095 Registered: 1-2004 Posted on Wednesday, February 22, 2006 - 5:59 pm:        Case- No. Still have Norton. I'm dumb, but not that dumb. So far I've reinstalled Spybot and Adaware. So far, none of those 'alerts.' I just thought of something. It could have been the Weatherbug. I took that off too. I might try to put that back tomorrow.   upondaroof Citizen Username: Upondaroof Post Number: 565 Registered: 4-2003 Posted on Wednesday, February 22, 2006 - 6:48 pm:        I'd steer clear of "Weatherbug". It's loaded with adware. Point your browser to http://www.weather.com/index.html and download "Desktop Weather".(IMHO)