Computer Attacks

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

For both of your issues, I need to know the exact attack that is being detected. Remote and local port information could be useful as well.

Also too, if your Norton shows it is blocking it, Thats a good thing

I had this problem too. It appeared when I got connected in the internet of my house and the internet of my university (only once there).

I solved it by restoring my computer (re-installing windows and everything; I didn't restored it for that alert but anyhow it stopped appearing).

 

Now the alerts I get are like "Your firewall is disabled", "Your antivirus is disabled" etc. And I always have in my windows bar close to the clock, a symbol like a red X saying "The service Security Center is disabled". Even though my firewall and antivirus seem to be OK and working good.

 

Does anyone else has this problem?

Every ten minutes I get a message saying "an intrusion by DINA was blocked" and it gives the same IEP address for the computer.  Its annoying. Is there any way to stop this or report the offender.  Excuse my ignorance

Hi, as you say this is why i joined the forums. Recently we have started to be hit daily by intrusion attempts from multiple sources. Something seems to know when the pc’s are online and then the fun begins. Also reading through some of the other posts alot of people are having similar problems. I think we got infected by a misleading application site on a newly reformated laptop that was not yet updated for security and since then there has been nothing but trouble. The gremlin spreads from one pc to another undetected and seems to call down other nasties at will, also all three of our main virus protection programs are missing it. Norton is the only one picking up traces of low risk activity but then the Norton history logs change and we are left hunting through the bits. I think the intrusion attempts are initiated by our pc and are attempts to send collected information but thankfully Norton AV blocks these. The other programs dont seem to notice any intrusions except attacks by worms mainly hellkern or some such. Even scans in safe mode do not detect any threats. I would just erase the drives again but i am interested in finding the hidden bug. One low risk file was allowed through but then the history log showed it change its name and execute changes to protected start up files, then just dissapear. Hopefully i am just imagining things but when stuff like Automatic updates gets turned off and other buttons grey out i have to ask myself the question. What is doing this? I think i have bits of a file in quarantine that i might try to submit.

Until the Norton Staffer who has already Posted here gets back to you, I would suggest doing the following:

 

- Go to the N.AV/N.I.S. Options > Firewall > Trust Control > Enter the I.P.(s) [computer(s)] that has been detected by Norton, which you will find in your Logs.

- Next, Block the Port(s) that it is using if your computer does not use these for any Applications.  To do this, under Firewall: Advanced >  Configure > Add > Block > Next > To and from other computers > Next > Any computer > Next > Select the Protocol; you may have to do this a few times depending on if it is the same Protocol; then Select "only communications that match all types and ports listed below" > Add > Individually specified ports; enter the Port numbers; if it is an Attck in-bound, select Local; if it is an Attack out-bound, select Remote, although it will most-likely be Local > When done, Click "Ok" > When done, click "Next" > If you want to recieve and prompt each time Norton Blocks the Port(s), Check the box > Next > Name the Rule, e.g. Firewall Rule T.C.P. 2200 > When done, Click "Next" > That is you done!  Please follow this instructions exactly, otherwise, you may weaken your Firewall.


3000DEG wrote:
Hi, as you say this is why i joined the forums. Recently we have started to be hit daily by intrusion attempts from multiple sources. Something seems to know when the pc's are online and then the fun begins. Also reading through some of the other posts alot of people are having similar problems. I think we got infected by a misleading application site on a newly reformated laptop that was not yet updated for security and since then there has been nothing but trouble. The gremlin spreads from one pc to another undetected and seems to call down other nasties at will, also all three of our main virus protection programs are missing it. Norton is the only one picking up traces of low risk activity but then the Norton history logs change and we are left hunting through the bits. I think the intrusion attempts are initiated by our pc and are attempts to send collected information but thankfully Norton AV blocks these. The other programs dont seem to notice any intrusions except attacks by worms mainly hellkern or some such. Even scans in safe mode do not detect any threats. I would just erase the drives again but i am interested in finding the hidden bug. One low risk file was allowed through but then the history log showed it change its name and execute changes to protected start up files, then just dissapear. Hopefully i am just imagining things but when stuff like Automatic updates gets turned off and other buttons grey out i have to ask myself the question. What is doing this? I think i have bits of a file in quarantine that i might try to submit.

 

If you have other Security Product apart from Norton installed on your computer, Remove them a.s.a.p. as your computer will become more prone to Attack and infections as there will be clashes.

If you think the program is a useful one,you can get rid of this alerts by  perofrming the following steps.

 

 For NIS 2008.

 

  Open Norton product> Click on Norton Internet Security tab>settings> Norton Internet Security options> on the left pane , Intrusion prevention> Signature exclusions.

 

In the Signature excluxions window you can see the attack name,uncheck it ,click on Apply OK.

 

If it is NAV 2008, Go to Norton Antivirus options> On the left pane , Internet worm protection> Configure> then uncheck the attack name.

I've been trying to respond to this thread for a couple of weeks but I get the warning and I lose my connection. I finally thought to type the response and paste it here. This is the message that I've been receiving. As you can see there are different IP's and Ports with each warning. I will only list a few of the IPs and Ports.

Norton Internet Worm Protection
has detected and blocked an
intrusion attempt

Intrusion: Portscan
Intruder IP: (my ip address)(domain(53))
Risk Level: Medium
Protocol: UDP
Attacked IP: User-(user IDfor my computer) [REMOVED]
Attacked Port: 50380;52334;50853;50448;51909;64830;53041;52334;55896;60151;1042;53041;60302

 

[edit: removed IP addresses from post. Please use caution when posting your personal information.]

 

Message Edited by Tony_Weiss on 09-02-2008 09:04 PM

Hi,

 

 If you can find out the name of the attacks from the History , then it will be easier to get rid of those pop ups. Still we can try by creating a firewall rule with these port numbers and IP addresses.

 

Please check the link Firewall rule and then try to create a rule adding the IP addresses and port numbers.You can do this individually for the IP address and for the port numbers.

Thank you for your feedback.  I will read the link provided.  My confusion is why I get these messages.  Of note, my recent post was edited removing the IP addresses under "Attacked IP".  I didn't think that was my IP.  The IP of my dsl modem shows under "intruder IP" which I did edit.  When I first started getting these warnings it was just one IP listed as "attacked IP" and I added that to the exclusions list.  I still gor those warnings but with different IPs.

 

I'm confused why the IP of my dsl modem shows up as an "intruder IP" and I get all these different IPs and ports showing up as being the attacked IPs and ports.

ReneeM, I suspect that this occurs on certain web pages that reference multiple sites. It is a false positive detection. The rules for treating trusted computers have changed over the years but putting your modem into the trusted zone  may help to remove this, or, you can just ignore these DNS port scans from your modem.

I have this same problem too. Reese had explained to me about the multiple site false positive thing and has put my mind at ease. I still get these once in awhile when I open several browser windows. But I have been able to not worry about it. In fact it puts my mind at ease knowing that my NAV2008 is on the job.


ReneeM wrote:

...Of note, my recent post was edited removing the IP addresses under "Attacked IP".  I didn't think that was my IP.  The IP of my dsl modem shows under "intruder IP" which I did edit.....


Hi ReneeM:

 

To clarify, we remove or break all IP addresses found in posts.  The exception (IP addresses that are left alone) are those within a local network address range such as 192.168.x.x or 10.10.x.x that do not provide any type of identification.

 

 

The problem I have with creating a rule with the IP addresses and port number is with each warning it lists a different IP address and port.  I have over 20 different IP addresses and ports listed.  When I first started getting these warnings I created a rule with and IP range(xxx.0.0.0 to xxx.255.255.255).  My next warnings listed different IP addresses.  The ports are always different.

 

This just started within the last month.  I don't know what happened to make this start.  My concern is that I have something malicious in my system that is attempting to launch.

 

The only way I'm able to access the internet is if I disable the worm protection and I know this isn't safe.

For the example you provided, the attacker was your dsl modem. The rules should be set up to allow a remote address of your modem and not specify any local address. If you are seeing different remote addresses than something else is going on.

This is exactly what's happening.  My DSL's IP is listed as the attacking IP.  I looked in my rules and that IP address is listed as "permitted" although it shows up as a range(00.00 to 255.255) along with 2 other IP's also listed with ranges.  I just went to whatismyipaddress.com and the address given is very close to the address given in the "attacked ip" section of the warning.  It's possible that all these different IP addresses are in fact mine.  I thought my IP address was the same as my DSL's modem address.  I also thought I would have a static IP address if I was using DSL.

 

This is a sample of one hour from my computer. This is a cyle.  As soon as the time has elapsed and my cumputer is unlocked I get another alert within a few minutes.  I copied this from the log file in NAV:

 

9/4/2008 10:38:26 AM,Intrusion: Portscan.,"Intrusion: Portscan.  Intruder: *DSL IP*(domain(53)).   Risk Level: Medium.  Protocol: UDP.  Attacked IP: XX.XXX.XX.XX.  Attacked Port: 49XXX."
9/4/2008 10:38:26 AM,Intrusion detected and blocked. All communication with *DSL IP* will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with *DSL IP* will be blocked for 30 minutes.

 

9/4/2008 10:06:25 AM,Intrusion: Portscan.,"Intrusion: Portscan.  Intruder: *DSL IP*(domain(53)).   Risk Level: Medium.  Protocol: UDP.  Attacked IP: XX.XXX.XX.XX.  Attacked Port: 53XXX."
9/4/2008 10:06:25 AM,Intrusion detected and blocked. All communication with *DSL IP* will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with *DSL IP* will be blocked for 30 minutes.

 

9/4/2008 9:29:19 AM,Intrusion detected and blocked. All communication with *DSL IP* will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with *DSL IP* will be blocked for 30 minutes.
9/4/2008 9:29:19 AM,Intrusion: Portscan.,"Intrusion: Portscan.  Intruder: *DSL IP*(domain(53)).   Risk Level: Medium.  Protocol: UDP.  Attacked IP: XX.XXX.XX.XX.  Attacked Port: 57XXX."

Have you tried to put your DSL's IP in the trusted zone? Having a rule to allow doesn't prevent detecting intrusions but putting it in the trusted zone may.

 

P.S. If adding your DSL's IP to the trusted zone doesn't solve the problem, you probably will have to disable the portscan signature.

Message Edited by reese_anschultz on 09-04-2008 04:51 PM

ReneeM, can you also tell me what operating system you’re using?