Not what you were looking for? Ask our experts!
Reply
Visitor
kiran.bajaj
Posts: 3
Registered: ‎05-02-2009

Repeated Intrusion Attacks. How do i stop this? Who can i report to?

[ Edited ]

Hi,

 

Since morning today, my pc has been beseiged with Norton security pop ups - stating "A recent attempt to attack your computer was blocked - view details"

 

This intrusion attack is repeated and i am looking out for options on what can be done to stop the attacks

The intrusion attacks are being blocked successfully by Norton AV because of up to date - application s/w and virus definitions

 

The intrusion attack details are as under

 

Attacker URL reported by my updated and licensed version of Norton Anti Virus is(removed website).Risk Name as classified by Norton is "HTTP Suspicious Executable Image Download"
Severity : High
Activity : An intrusion attempt by (removed)was blocked. Application Path \DEVICE\HARDDISKVOLUME3\WINDOWS\EXPLORER.EXE

 

Attacking Computer

(removed)(IP Addr - 64.136.20.37; Port 80)

 

I checked the details on www.dnstools.com and the details of the search are mentioned in the below mail. Subsequently - i have also e-mailed the below mentioned id's of the web master and the id relating to abuse - informing them of action - if this does not stop.

 

Can some expert advise me on

A). What needs to be done to stop these attacks from occuring

B). Is there a central body on the internet that takes note of such issues reported by harassed users and takes action against the offenders.

C). How do i ensure - that despite these repeated attacks, the computer continues to remain protected (this is apart from the regular live update and quick/scheduled full scans

 

 

Would appreciate a prompt reply to help me resolve this issue

 

Thx & Rgds

Kiran Bajaj.

 

Results from whois.net and dnstools.com
======================================
Connecting to whois.arin.net...
OrgName:    Juno Online Services, Inc.
OrgID:      JUNO
Address:    21301 Burbank Boulevard
City:       Woodland Hills
StateProv:  CA
PostalCode: 91367
Country:    US
NetRange:   64.136.0.0 - 64.136.63.255
CIDR:       64.136.0.0/18
NetName:    JUNO-BLK
NetHandle:  NET-64-136-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: AUTHNS.DCA.UNTD.COM
NameServer: AUTHNS.VGS.UNTD.COM
NameServer: AUTHNS.IAD.UNTD.COM
Comment:   
RegDate:    2000-07-26
Updated:    2007-09-19
RAbuseHandle: UOAD-ARIN
RAbuseName:   United Online Abuse Department
RAbusePhone:                  +1-818-287-3000        
RAbuseEmail:  abuse@untd.com
RTechHandle: IU14-ARIN
RTechName:   United Online, Inc.
RTechPhone:                  +1-805-418-2000        
RTechEmail:  hostmaster@noc.untd.com

 

[edit: Removed hazardous website from subject..]

Message Edited by shannons on 05-02-2009 03:07 PM
Message Edited by shannons on 05-02-2009 06:23 PM
Message Edited by shannons on 05-03-2009 05:04 AM
delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?

[ Edited ]

This is a very interesting site dealing with the reports of internet abuse and what to do about it.

 

http://www.abuse.net/users.phtml

 

[edit: Subject.]

Message Edited by shannons on 05-02-2009 03:08 PM
Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?

[ Edited ]

That Web Site is Un-Safe and you should not Visit it; it has Backdoor.Trojan on it.  Please do not Post Un-Safe Web Sites in the Forum.  I would suggest doing a Full System Scan, Dis-Connected from the Internet; run Norton LiveUpdate beforehand.

 

What Version of Norton AntiVirus do you have?

 

 

[Edit: Grammer]

Message Edited by Floating_Red on 05-02-2009 09:07 PM
Message Edited by Floating_Red on 05-02-2009 09:13 PM
[edit: Subject.]
Message Edited by shannons on 05-02-2009 03:09 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?

[ Edited ]

Floating Red:

 

Could you clarify to which one of us your post is referring? 

 

[edit: Subject.]

Message Edited by shannons on 05-02-2009 03:10 PM
Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Repeated Intrusion Attacks from [Removed]. How do i stop this? Who can i report to?


delphinium wrote:

Floating Red:

 

Could you clarify to which one of us your post is referring? 


 

O.P..
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Visitor
kiran.bajaj
Posts: 3
Registered: ‎05-02-2009

Re: Repeated Intrusion Attacks. TechSupp[Incident: 090505-003068]-No Solution !!

Hi,

 

Noted your responses.

 

 

I am on Norton AV 2009 

Version : 16.5.0.134 

I have run live update (which i do regularly)

I have disconnected from the net

Run a quick as well as a full scan

And then got online 

But all of this has yielded nothing

 

Norton AV Auto Protect is always on!

I am also upto date on all MS Windows XP - patches from the Microsoft Update site

 

I used to get the attacks from 64.136.20.37 port 80.
I have tracked it down to United Online services and ensured that the offending website has been removed from their IP range. 

 

But I continue to get the messages from Norton AV 2009 that an intrusion attempt was blocked this time from another IP.

 

I have followed up with the owner (below) of that IP range (Conversis Gmbh) and have also sent mails to their info and abuse id - asking him to ensure that the malicious content is removed from his IP range and the offender brought to book.

But there is no reply which is real arrogance from conversis.

Which also leads me to believe that they are helping the originators of the malicious content.

 

Details of the attack

======================= 

Attacking Computer - zxvsneverdies.is-the-boss.com
IP address 213.131.252.251 port 80
Attacker URL: zxvsneverdies.is-the-boss/refix.jpg

This ip address points to:
conversis GmbH
Customer PA Space
Germany
Person responsible for this IP
Patrick Kirchhoff
Conversis GmbH
Erftstra.e 11
47051 Duisburg
Germany
               +49 203 7187475

 

Norton Tech Support Experience

===========================

I have been in touch with Norton Tech Support since the start of these attacks, and the whole support experience has been a huge let down. I have been informing Symantec continuously of the developments on this via Technical Support [Incident: 090505-003068].

 

I had requested them to arrange to stop the recurring attack(s) on my computer through this IP range - 213.131.252.0 - 213.131.252.255, and that, If this was on account of a trojan on my PC, then i asked them to provide me an update to clean it from my PC.

 

I also stated that

============== 

This has been a persistent problem for the past 2-3 weeks - where i, at intervals of time, continue to get these pop ups where Norton AV states that it has blocked intrusion attempts.

I can choose to ignore and take for granted that norton av will continue to block.

But am apprehensive that some attempt of this attack might be successful and i will be in big trouble. Hence the call for support. 

 

The response i got from the analyst

"As I understand that the issue is related to virus or Trojan infection in your computer.We can help you remove any threats present in your computer. I do understand your concern.Norton most probably is working well on your computer. But it’s also important to note that no security software can afford you 100% protection. This is because a lot of environmental variables, the vulnerabilities of Windows and the software’s/applications on your computer play a pivotal role in keeping your computer secure. If there is any level of insecurity or any security holes, the possibility of a security breach is always present."

 

And then the killer

"This is a paid consultation service.The Consultation fee is AUD $139.99.We guarantee to identify any threats that may be on your system.  Once we have found them, we will remove them.  In addition we guarantee our work for a period of 7 days from today should you experience any reoccurrence."

 

Now, that's an awful lot of money - i can buy 5 years of norton av subscription on this!!. Why is it that i cannot clean the virus or trojan infection. Live Update is up to date, so i see no reason why i should not be able to clean it myself.

 

I think this is absolutely unfair and i chose not to avail of this service. 

And I'm being frank - but procuring Norton AV 2009 yearly subscription for Rs. 1200/- (INR) and then paying almost Rs. 6000/- (INR) [5 times the cost] for a virus/trojan problem the procured software cannot solve is insane!

 

I also asked them to report this observation as a customer complaint from a dissatisfied customer.

 

The whole attitude has been lax and this leads me to believe that norton being a market leader is taking customers for granted. I wish this could change.

 

I have been a norton user since 2004 and wish that i continue to be. But for that to happen - i need a solution from tech support. And since that is not forthcoming. I am opting to write into a community forum - where some expert will be able to help.

 

And by the way - out of sheer frustration i went to the Kaspersky online scanner and it has detected an infected file. But the same is not visible on my PC. I do not know whether to believe the result and resort to removing Norton and installing Kaspersky

 

Results from Kaspersky Online Scan

============================

File name / Threat name / Threats count
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\r00t.exe Infected: Trojan-Dropper.Win32.VB.iuj 1 

 

 

I rest my case and hope that some solution is suggested by the community experts and i am rid of these continuing attacks.

 

 

Thx & Rgds,

 

Kiran Bajaj

Volunteer
yogesh_mohan
Posts: 5,302
Registered: ‎07-29-2008

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?

[ Edited ]

Hi Kiran,

 

Which Firewall program do you use?

If you use only Windows Firewall, it will be better to get any of the stand alone firewall program as an additional protection over your computer. Hope you know that NAV 2009 don't have any firewall with it. The Trojan-Dropper.Win32. is generally detected as Backdoor.Trojan by Symantec products. Did the Norton program detect any such threats during scanning?

 

Yogesh

Message Edited by yogesh_mohan on 05-13-2009 02:22 AM
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?


yogesh_mohan wrote:

Hi Kiran,

 

Which Firewall program do you use?

If you use only Windows Firewall, it will be better to get any of the stand alone firewall program as an additional protection over your computer. Hope you know that NAV 2009 don't have any firewall with it. The Trojan-Dropper.Win32. is generally detected as Backdoor.Trojan by Symantec products. Did the Norton program detect any such threats during scanning?

 

Yogesh

Message Edited by yogesh_mohan on 05-13-2009 02:22 AM

 

Norton AntiVirus 2009: No Firewall: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=18195.

 

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Visitor
kiran.bajaj
Posts: 3
Registered: ‎05-02-2009

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?

Hi,

No external firewall programme is used by me. I just rely on windows firewall.

Did the Norton program detect any such threats during scanning? NO. It has reported green (and i mentioned that kaspersky managed to detect the trojan dropper).

What is the cost of upgrading from an existing licensed version of Norton Anti-Virus 2009 to Norton 360. Will installing Norton 360 solve the existing problem. I mean, will the trojan be removed from my system. What do i do to remove this trojan once and forever.

B'cos if the cost of upgradation is less than the cost of consulting from the Norton Tech Support team - then i might as well opt for a upgrade rather than looking for expensive experts!

Thx & Rgds,
Kiran Bajaj.
Super Spam Squasher
mo
Posts: 1,707
Registered: ‎08-18-2008

Re: Repeated Intrusion Attacks. How do i stop this? Who can i report to?

[ Edited ]

Hi

I would remove the trojan first,then look at either NIS2009 or N360 or keep NAV and just add a Firewall.

Try Malwarebytes,update it then disconnect from the net and do a scan in safe mode,Post back here with the log or your results.

 

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=d...

 

There are a few free online firewalls which I'm sure other members can point you towards which ones work well with NAV2009

Message Edited by mo on 05-13-2009 05:57 AM
Cheers Mo
XP home,SP3
NIS2012