My computer attacking a web address?

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

I use NAV 2008 on Vista Home Premium OS

On Friday 7/11/08 at 4:55pm Dallas texas time. I received the following notification from my NAV2008

 

 

INTRUSION ATTEMPT

Risk Level Medium Default action: Blocked Action taken: Blocked

 

HTTP IIS HTR ISAPI BO

 

(My Computer) 52888 attempted intrusion on

Destination address: xxx.xxx.xx.xxx (8)

 

Traffic Description: TCP 52888

 

So my question are:

1. Why would my Norton AV 2008 notice and block an intrusion attempt by my computer by this HTTP IIS HTR ISAPI BO, but then not have blocked this from getting on my computer to begin with?

2. When I run a full system NAV 2008 on my computer, it does not detect any virus, spyware, etc.

 

[EDIT: IP removed from post, but still available by contacting the Administrator]

 

Message Edited by Tony_Weiss on 07-18-2008 07:43 PM

when I google

HTTP IIS HTR ISAPI BO, I get this   (http://www.symantec.com/avcenter/attack_sigs/s20426.html)

I'm not running a server, just a little old home PC. Whats odd is it happened only once

 

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects buffer overflow attempts that exploit the IIS ISAPI HTR extension vulnerability.

Additional Information

A buffer overflow in the HTR ISAPI extension has been reported for the Microsoft Internet Information Services (IIS).

The Active Server Pages (ASP) has superceded HTR, which is a scripting technology for IIS. A condition exists in the HTR ISAPI extension that may enable a remote attacker to send a number of malformed requests, which can overwrite the locations in memory with attacker-supplied data.
This condition affects IIS 4.0 and IIS 5.0. Disabling the extension may effectively mitigate this condition.
Exploiting this vulnerability may result in a Denial of Service or allow for a remote attacker to execute arbitrary instructions on the victim host.
Note: The BugTraq ID is an individual vulnerability entry to follow up on the aggregated Multiple Remote IIS Vulnerabilities alert released by SecurityFocus.
This vulnerability has affected some Cisco products, although this issue is not present in the Cisco products themselves.

Are you able to download and install the patch?

would I have to install a patch in this regard since I am not running a server?

I noticed this response in another post similar to mine

 

2)  The fact that your computer is listed as the attacking computer is an issue that we had previously updated in the field.  We incorrectly have switched data in the display fields for Attacking and Destination. Can you run liveupdate and see if this still occurs?

 

Thanks,

John

"Doctor Drive-By"

Symantec Security Response

 

Any possibility that John from Symantec can look at my info to see if the same holds true?

Thanks for posting a separate thread on this.

 

Do you know if you were doing anything/web browsing when the alert occured?

 

I will take a closer look.   That could be related to the issue we were seeing with the direction switched.  Generally this type of alert is seen from an attacker/infected system attacking you.   Norton is protecting you from this type of attack.  We still see lots of probes or attempted attacks for issues which systems are not vulnerable to.

 

I will follow-up shortly.

Thanks,
John

"Doctor Drive-By"

 Symantec Security Response

 

 

Message Edited by John_Harrison on 07-17-2008 04:09 PM

Thanks John. My wife was on the internet at the time and she does not recall. Infact she thinks taht I'm too worried about such things which is probably true. So you are saying that this reading should really be reversed that it wasn't my PC that was attcaking this site, but this site that attempted to attack my PC? And then NAV2008 blocked it? (Hurrah!!!)

I have went back to the notification and iot stil shows that MY PC was attacking. But I guess that it wouldn't change that entry then, but subsequent ones.

I think the site taht attacked was a yahoo site. I guess it could have been compromised (the yahoo site i mean)?

 

John, I'll await your response

John, I think this was the address that My computer was attacking, or if it was reveresed, was attacking my computer

 

xxx.xxx.xxx.xxx (8)

 

But it sounds like the fact that my scans come up clean, that it most likely was a reversed notification and that this site attempted intrusion on my PC but was block?

 

[EDIT: IP removed from post, but still available by contacting the Administrator] 

Message Edited by Tony_Weiss on 07-18-2008 07:42 PM

John (or any Norton/Symantec person)  can I get some more feedback?

 

Also, sorry to post the address. New to all this.

Oh and I think the port was 80 and not 8 as I had noted in error

Thanks for the update on the port number.

 

I am still waiting for an update from my team and will post today. 

Thanks,
John

 

I have an update from our team that this protection we included isn't applicable to Windows Vista or Windows XP SP2/3 and we are removing the signature from the Norton 2008 product.  The direction was also incorrect

 

Thanks for identifying that and bringing it to our attention.  

 

Let us know if you have any additional questions or issues.

Thanks,

 

Doctor Drive-By

Symantec Security Response

Message Edited by John_Harrison on 07-21-2008 06:40 PM

John, not sure I understand. what does thi smean? Does it mean that I was attacked by a drive by download but Norton defended?

It means that you probably were not attacked by a drive-by download.   The vulnerability protection that the signature provided isn't relevant or useful either so we have removed it.

Thanks,

John

 

so it was just some type of false positive?

Thansk John. I hate to beat a dead horse

 

But

 

So does this mean that beacuse the item was not pertainent to Vista SP1 operating systems, it falsely indicated that this happened because there was some piece or part of an item that triggered this report? Don't get me wrong, I can live with errors taht stem from over report rather than under report

In addition does it mean with a good possibility that there is not an instance of

 

HTTP IIS HTR ISAPI BO

 

sitting on my computer and attempting to access other? I run full system sacns and updtae NAV defs every 4 hours.

Sorry to sound so dense with all this, but I have limited to nil computer knowledge

Too many different threads to keep up with.

It could mean that we falsely triggered.  Without more information it is hard to tell.  The alert "HTTP IIS HTR ISAPI BO" is related to an old IIS 4 and 5 vulnerability in Windows 2000 systems.   If you really want to know, you can check out the Security Focus BID information here.    It is a pretty old vulnerability.  Vista is not vulnerable to that so can ignore any alerts related to that.  We went ahead and pulled the signature out of the 2008 products since no vulnerable OS's can run these versions of Norton. 

 

I also have confirmation that any of the switched direction issues should have been resolved at this time.  If not, please open a new thread.

 

Final note - there should be nothing to worry about on your computer related to this!


Feel free to PM or post with any other questions.

Thanks!
Doctor Drive-By

 

It said attempted. Maybe it is some sort of update?