• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Attackers pretending to be Symantec in order to trick the NIS firewall?

I wanted some advice on some firewall entries:  While Norton Internet Security for Mac has done a great job of blocking these attacks with its heuristic detection with its firewall, I feel that Symantec needs to know more about this because this could be something more serious. Basically some attackers are pretending to be Symantec in order to try and trick my firewall into giving them access. Luckily the firewall flagged the connections as suspicious and blocked them. At first glance they look like they are from Symantec. But upon tracing the IP addresses, I found where the attempted connections were really coming from, and that Symantec had nothing to do with the connections. Below shows two of these attacks from two different attackers. Then below that is the raw traceroute data that shows who the attackers really are. My fear is that hackers will refine these attacks or that people may think that they are really from Symantec and will allow the connections. I don't know how to contact Symantec engineers about this, or if it is even necessary, so I am posting it here to get some feedback. 1.

FAKE IP: 63.140.61.13 symantec.com 

REAL IP: omniture.com (66.235.132.5) 
2.FAKE IP: 143.127.102.43 mac-shasta-wrs.symantec.comREAL IP: above.net (64.125.31.193)    Raw Data for 1:

Traceroute has started…

traceroute to 63.140.61.13 (63.140.61.13), 64 hops max, 72 byte packets

 1  131.118.77.254 (131.118.77.254)  1.166 ms  0.438 ms  0.369 ms

 2  131.118.79.241 (131.118.79.241)  0.445 ms  0.737 ms  0.476 ms

 3  131.118.95.246 (131.118.95.246)  0.859 ms  1.272 ms  0.821 ms

 4  fe-0-0-0.fsu-gw.net.ums.edu (131.118.255.118)  0.678 ms  0.826 ms  5.748 ms

 5  vlan5.umcp-core.net.ums.edu (136.160.255.25)  15.669 ms  24.404 ms  26.117 ms

 6  206.196.177.84 (206.196.177.84)  16.530 ms  16.717 ms  17.184 ms

 7  et-10-0-0.321.asbn0.tr-cps.internet2.edu (198.71.47.37)  17.517 ms  17.006 ms  17.453 ms

 8  ae-2.0.ny0.tr-cps.internet2.edu (64.57.20.197)  23.622 ms  28.657 ms  23.647 ms

 9  64.57.20.74 (64.57.20.74)  26.660 ms  34.566 ms  27.927 ms

10  te1-1-10g.asr1.sjc2.gblx.net (67.16.139.42)  96.027 ms  94.712 ms  95.482 ms

11  adobe-systems.tengigabitethernet1-2.asr1.sjc2.gblx.net (159.63.54.134)  95.085 ms  100.282 ms  100.618 ms

12  sr-b-1-vlan-9.sj1.omniture.com (66.235.132.5)  97.971 ms  97.084 ms  124.950 ms

13  symantec.com.102.112.2o7.net (63.140.61.13)  116.104 ms  94.667 ms  98.019 ms

    Raw Data for 2: 

Traceroute has started…

traceroute to 143.127.102.43 (143.127.102.43), 64 hops max, 72 byte packets

 1  131.118.77.254 (131.118.77.254)  1.246 ms  0.624 ms  0.619 ms

 2  131.118.79.241 (131.118.79.241)  0.464 ms  0.643 ms  0.835 ms

 3  131.118.95.246 (131.118.95.246)  9.876 ms  5.545 ms  21.012 ms

 4  fe-0-0-0.fsu-gw.net.ums.edu (131.118.255.118)  5.208 ms  4.555 ms  5.417 ms

 5  vlan5.umcp-core.net.ums.edu (136.160.255.25)  21.668 ms  19.450 ms  23.289 ms

 6  206.196.177.84 (206.196.177.84)  16.466 ms  16.691 ms  17.429 ms

 7  et-10-0-0.321.asbn0.tr-cps.internet2.edu (198.71.47.37)  31.602 ms  20.793 ms  19.355 ms

 8  64.57.20.106 (64.57.20.106)  17.094 ms  16.926 ms  19.516 ms

 9  ae2.cr2.dca2.us.above.net (64.125.31.209)  19.426 ms  27.673 ms  17.900 ms

10  ae6.cr2.iah1.us.above.net (64.125.28.50)  58.910 ms  57.981 ms  84.535 ms

11  ae2.cr2.lax112.us.above.net (64.125.25.53)  81.200 ms  83.865 ms  93.838 ms

12  ae9.mpr1.lax12.us.above.net (64.125.31.193)  82.200 ms  80.071 ms  80.557 ms

 It maybe nothing but it is still very odd and suspicious.   I use NIS for Mac for Mavericks. 

Replies

Kudos0

Re: Attackers pretending to be Symantec in order to trick the NIS firewall?

Hai Arcanine666,
welcome to Norton Community.
.
Can you specify from where did you receive these IPv4 addresses?
Is it from NIS logs? (Please post the relevant firewall log if possible)
.
When I checked the first IP 63.140.61.13 with tcpiputils (I usually use their resources it get details about IPs under question.), I found nothing suspecious.
See the result:
http://www.tcpiputils.com/browse/ip-address/63.140.61.13
...
Update us regarding this...
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!

This thread is closed from further comment. Please visit the forum to start a new thread.