Hi all,
Since yesterday, Norton's been blocking the following attack every single time I log on - same attacking IP, different URLs. I don't know if that means Blackhole has injected itself into one of the Iframe ads on Yahoo, but that's my homepage, and I've been getting them within minutes of signing on every single time for the past couple of days. (There are some reports that Adsense ads are being targeted on Google's website, so that indeed might be the case.)
I guess there might be an underlying infection/rootkit that's instructing the computer to dial out to this IP, and I want to double-check to make sure that's not the case.
Here's the IPS statastical submission info for it:
Category: Norton Community Watch
Date & Time,Risk,Activity,Status,Recommended Action,Date Updated,Submitted By,Description,
Submission Details5/25/2011 2:19 PM,
Info,IPS Detection Statistical Submission,
Submitted,No Action Required,
"Wednesday, May 25, 2011 2:19 PM"
,Norton Internet Security,IPS Detection Statistical Submission,
"Signature ID: 24092
<br>Local or Remote Attacker: 2
<br>Remote Port: 80
<br>Local Port: 49438
<br>Protocol: 6
<br>Signature Set Version: 20110518.001
<br>Application Name: \DEVICE\HARDDISKVOLUME2\USERS\MELISSA\APPDATA\LOCAL\GOOGLE\CHROME\APPLICATION\CHROME.EXE <br>Offending URL: (Readacted for the safety of others, but they're from the same Checzoslovakian .com)
<br>Date Detected: Wed, 25 May 2011 18:19:09 GMT
<br>Application File Checksum: CBE930A1D7EFF7F1A6794D195E9B3E19
<br>Application File Information: 0.0.0.0 <br>Network Data: 434D50520014000078DAED916F6BDB3010C6CF6B1883755B61A13018637F88DEC5B19D784907A2D8B14742D3AE7312CADECC28B2EC78716C632B2CD9A79FEC66615DFB0DA61FE2243DF7E82CF9AE9CA1D57802D0048023004581DB75350B195E7F07387E2476CA5B68887D034E60F4653AF3ED8935BC988CA733D7810AE5C33EDFBC97F7EDEBC9ADE7DDDD1A37A3F1CCFDBBC6FB7DFED53E3F9E88EB79CE7DE333782CA65C3905CFFD3A778577E45A8EEBF99EFBD9F55C6FC979FEA9D3D994EA3A32D535891375479659A6D26CDD09A918E739AE649F9234D8450559A345847941D23227054B394AF0F4E25BAB6B5F5EDDB4BA56CBD0433A12DE2C0C51887553334D4D370D1407D84074B1C2219D64246001E211C7FE2221E90A2D4B9164298ECBAC3D1898676D1DB1356E1966DF16C130CA98B336E1BC88171BCE6A4984EA6B6245B3948B8B5482238239AC55216D0A7670693F195BD50BBDD7AE543BCD7CB6CDC54DC922A97D36F941B63E6505BF9BD817FC13FA0E1206AC6B1A52E3942778532255BC22C22C6DCFA788631D89DF1360BDAB7DECF6FAA618031D2135DA621D94E3BA2327F0F2DF8E549DCC5812ACC20DDF452AFDA5520ACA8BDADE84E707FBB5E55997D3739E63F1983393EABD5E4003261E06CA51ED7E034F0FEEB937EEC469C0B66ABECC1F3AF460218944229148241289442291482492FF8FDF9CB4B9D8 <br>Sub-signature ID: 66060
<br>Remote Address: 193.105.154.238 <br>
<br>OS-Country:1 <br>OS-Language:English
<br>Processor:AMD64 Family 16 Model 6 Stepping 3 <br>System:Windows 7 build 7601 Service Pack 1
<br>Platform-GUID:7787E638-91EC-11DF-9544-C80AA996553E
<br>DateSubmitted:Wed, 25 May 2011 18:19:12 GMT <br>Product:Norton Internet Security 18.6.0.29"