HTTP Fragus Toolkit Request 1

ikrananka · ‎11-26-2010

Today I received a High severity intrusion attempt message "HTTP Fragus Toolkit Request 1" from NIS2010 (fully updated) stating that the attempt was by my own computer name (see attached picture - I have blanked out my computer name). This occured when I was running Internet Explorer 8 and browsing my usual home page (www.bbc.co.uk). Details are:

Risk Name: HTTP Fragus Toolkit Request 1

Attacking Computer: My Computer Name (192.168.1.##, 49485)

Attacker URL: inesne.com/gaha/show.php?key=be1d0d4932919ad9e7fba8bb64b02797&u=full2

Destination Address: 91.213.217.38, 80

Source Address: 192.168.1.## (192.168.1.##)

Traffic Description: TCP, Port 49485

I have completely scanned my system and NIS reports absolutely no security threats. Why is the message indicating that the attempt came from my computer and yet the attacking URL is external? Is this likely a false positive? Although NIS blocked the attempt is there any action that I should take? Note that I received two of these messages, they are identical except that the port changes from 49478 to 49485. Should I block these ports on my router?

Interestingly shortly after the intrusion attempt I received a call from an Indian lady claiming to be from Richland Support. She claimed that they had received error messages that had been traced back to my computers unique ID !!!!! She then proceeded to ask me to turn on my computer so that they could connect and show me the error messages. After I kept asking her some probing questions she stopped responding and so I hung up. Her caller ID was blocked. Coincidence or not? I have sent Richland Support and message notifying them of this.

Anyway, much appreciate any help/advice with regard to the above intrusion attempt.

TheBluesBrother · ‎05-02-2010

When I read this post there was something very seriously wrong with it.

Where did she get your telephone number from?

Do you keep your phone number on your system?

ikrananka · ‎11-26-2010

I am in the phone book so my number is not private. The telephone call may have been completely unrelated and I believe that they had absolutely nothing from my computer (it is a new build from a few months ago and has had NIS installed from day one with regular full system scans). I reckon it was some kind of telephone phishing attack that convinces some poor souls to install some remote access software and then they **bleep** and pillage the PC at will.

kphoto · ‎11-26-2010

I experienced identical attack yesterday, same information as you report except, of course, from my own computer name and IP, and port.

Attack reported to "resulted from \DEVICE\....\FIREFOX.EXE"

So far scan is negative. No apparent change in machine function or response. No phone call - but then no landline and guarded cell.

I look forward to feedback -

Many thanks! K.

Quads · ‎07-21-2008

I bit old now, there would be slight changes, but http://www.symantec.com/connect/blogs/fragus-exploit-kit-changes-business-model

Exploiting Websites / Webpages

Quads

kphoto · ‎11-26-2010

Thanks, Quad for this link - I already reviewed this and other info on Norton and other sites.

My question: Since NAV caught the attack, is there any known reason for futher concern?

Tywin7 · ‎09-02-2010

Quads, are you suggesting BBC website has been hacked or BBC have bought the toolkit?

_____

@kphoto

Try running the free version version of Malwarebytes just to be on the safe side to make sure nothing got through. Download Malwarebytes' from this alternative source.

http://www.filehippo.com/download_malwarebytes_anti_malware/

Some malware creators have made removing malware harder by blocking the sites of popular virus removal programs like Symantec and Malwarebytes. Therefore, using an alternative source can prevent the program from being blocked. Please make sure to download the correct program. There are MANY ads on the site so make sure you are downloading MALWAREBYTES' ANTIMALWARE and not some other program.

(Thanks to Floplot for providing the alternative site). After you have downloaded the program, right click the exe file and select run as admin. Follow all prompts to install the software. After instalation, run an update of the program and perform a FULL scan of your computer. When scanning is finished, a message box will appear. Click on ok to continue on with the malware removal. Make sure that all detected threats are checked and click on Remove Selected. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Copy and paste all contents of the notepad into your next post. After that close the notepad.

Note:Many of the above steps are copied and adapted from Floplot's instructions regarding using Malwarebytes'.

Norton Internet Security 2011 , Windows 7 Home Premium 64 bit (Check if you are eligable for a FREE Norton upgrade)
Success is 10 percent inspiration and 90 percent perspiration.”--Thomas Alva Edison
I'm not a Symantec employee and my posts do not represent the views of Symantec.

Quads · ‎07-21-2008

Tywin7 wrote:
Quads, are you suggesting BBC website has been hacked or BBC have bought the toolkit?

LOL, means you don't understand it all, Stick to only what you know, it's safer for all.

Quads

Quads · ‎07-21-2008

kphoto wrote:
Thanks, Quad for this link - I already reviewed this and other info on Norton and other sites.

My question: Since NAV caught the attack, is there any known reason for futher concern?

It looks as though Norton has done it's job in blocking the URL for your PC, using Auto-Protect / Intrusion Prevention which is good. I am going to dig into one of the attacking URLs, I just need an update first.

The reason Norton shows in the info firefox.exe etc. is that it's using scripts on a website / webpage to load another webpage in the browser you are running But Norton has blocked it.

This sort of thing has happened in the past with sites like New York Times, Fox / ESPN, and will continue to happen from time to time.

Quads

ikrananka · ‎11-26-2010

Quads wrote:

It looks as though Norton has done it's job in blocking the URL for your PC, using Auto-Protect / Intrusion Prevention which is good. I am going to dig into one of the attacking URLs, I just need an update first.

The reason Norton shows in the info firefox.exe etc. is that it's using scripts on a website / webpage to load another webpage in the browser you are running But Norton has blocked it.

This sort of thing has happened in the past with sites like New York Times, Fox / ESPN, and will continue to happen from time to time.

Thanks - good to know why it appeared to come from my PC.

I have already completed a full MBAM scan with nothing detected. Have also just upgraded to NIS 2011 and fully updated - ran another full scan and nothing detected. So as far as I can tell my PC is clean. I'll keep a very close eye on any future attacks.

Very interested to hear back once you've had a chance to check out the suspicious URLs.