Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
Youmay have seen my post regarding a similar issue. However, my “attack” happened just once and was noted as a medium risk. Mine happened about 4:33pm central US time. What time did yours start?
I did see your post and you were one of the guys I was refering to in my post. Mine happened at 4:14 PM Central US time, so almost the same time as yours. The times and dates are way too coincidental... It is for this reason that i think it has to do with an update from Norton or Windows. We really need the powers that be to investigate...
You said that your error only happened once. Was it while browsing a particular website, and if so, can you remember which site? My suspicions are as follows:
My error is caused by a script built into my websites which sends data to google analytics for the purpose of tracking usage stats. This is all harmless above the board stuff and not a malicious script in anyway. In fact it is used in the exact form as provided by google for developers. If you were browsing a website that also has a similar script embedded, maybe not to send data to google, but maybe gathering any other data about you as the user, and sending it to their own site or a third party site, it could be producing the same error as mine.
I hope Tony or someone from Norton will be able to help us on this as soon as possible, as I am taking huge strain here at the moment.
Actually I was not on the computer when it happened. My wife was. I'm not sure what she was browsing. I can't ask, because she thinks I'm too paranoid about this stuff :), which I probably am. However, I know she likes to go to bigfishgames.com alot. I also noticed that later that evening about 8:40pm, my I received a new internet worm protection file
siganture file
20080711.001
Internet worm protection engine 4.0.1.80.206
I'm thinking that either there was a major attack that compromised Norton Products, or that its some type of major false positive.
I just use a littel home PC and am not running a server or anything. I'm also not computer savvy so I'm sorry for not presenting information properly.
I am getting the creeps though that maybe some thing is sitting on my computer and using it without my knowledge. I have nothing to substantiate that though
also the site that it said I was trying to "intrude" on was 68.142.213.132 80
Which is us.bc.yahoo.com
I don't think you have anything to worry about. I think it is more likely to be a false positive rather than something sitting on our computers. The problem though is that it is compromising my websites which are being used by hundreds of subscribers, and they will be getting very nervous when they see anything about attacking computers etc popping up.
Let's wait until the administrator or moderator responds and see what they have to say. Thanks for your input though.
sure. they seem to be very quick to respond which is nice. So you think it might be some type of false positive?
africanChild,
Thanks for your post. The alert, HTTP Malicious Toolkit Download Activity, you are seeing is associated with drive-by downloads and the protection we have included in the Norton 2008 products. Today, drive-by downloads (malware being installed on a users systems without you having to do anything) from mainstream sites are increasing on a daily basis. Many of the sites that have been affected by sql injection attacks, hosting malicious toolkits such as NeoSploit, or injected i-frames that lead to malicious sites, may trigger this alert. If you see this alert, Norton has protected you from the drive-by download.
Can you confirm the last time you did a LiveUpdate?
Is your website located in Asia or Australia? The 202.xx.xx.xxx Internet registry space Assigned to the Pacific Rim and "apnic", Asia Pacific Network Information Centre.
I am seeing two separate issues here.
1) There are many malicious domains that that are similar to the one you listed in your post but a few characters have switched (typos on purpose). Can you send me a PM (don't post the URL here in the forum) to confirm the exact url/address being reported? A screenshot would be ideal. One note - Never visit the domains/urls that are listed in the alert!
2) The fact that your computer is listed as the attacking computer is an issue that we had previously updated in the field. We incorrectly have switched data in the display fields for Attacking and Destination. Can you run liveupdate and see if this still occurs?
Thanks,
John
"Doctor Drive-By"
Symantec Security Response
Hi John,
First of all, thank you for taking the time to respond to my post.
Re: Your explanation of drive-by downloads - So would you say that hackers these days have a way of "injecting" or adding malicious scripts into an existing site that does not belong to them by hacking into the SQL databases? Is it therefore possible that my own sites that I have built myself now have malicious code in them which has not been added by myself? Or do you mean that there are malicious websites out there that embed malicious scripts onto user's computers, which then try to connect back to the "mothership" when online? Please excuse my ignorance, but I need to understand the nature of the beast.
- The last time I did a liveupdate was just before posting yesterday and then a few times before that. I have also just done one as requested by you, but it said that my definitions are up to date and skipped downloading and installing new updates.
- I am still getting the same error when browsing my weblogs. The attacking and destination fields are still switched on my system, even after running live update ie. my computer is listed as the attacking computer and Google-Analytics is the destination address. How can I force my Norton to download the new updates?
- My websites are hosted in the USA on Linux servers. The 202 XXXXX you are referring to is part of the google-analytics.com IP address given in the error report. This is the destination address according to the Norton report.
- The destination address in the error report is the same as the google-analytics address in my script I have embedded into my websites. The full URL in my script is the reported URL plus urchin.js, which is the program that processes the tracking data for Google Analytics. Are you sure you guys aren't picking up a harmless Google tracker as malicious by mistake? It never used to be a problem. I will send you a screenshot.
Please try to answer all my questions so I can get a better understanding of how this works, and how we can fix it.
Thanking you kindly.
Regards
africanChild
John, how does your response to African Child pertain to my issue? Or should I post my issue seperately?
To John-
Here is my post (title of my post) of my issue, if perhaps you or someone from Symantec/Norton can take a look at it
My computer attacking a web address?
For more information on how the hackers are injecting their code into other websites take a look at the Symantec Internet Security Threat Report. Here is a quick quote "Site-specific vulnerabilities affect custom or proprietary web-site code. These vulnerabilities are a concern because they allow attackers to compromise specific web-sites, which can then be used to launch subsequent attacks."
1. Thanks for providing the update on your LiveUpdate.
2. We will re-investigate the issue with the attack direction being switched. Thanks for that information. Don't worry about new updates at this time.
3/4. We haven't' seen this signature trigger with any Google urchin traffic before. Can you send me the screenshot and url of your site via PM and I will take a look.
Thanks,
John
ps - NY1986, thanks for opening a separate thread on your issue
Looks like from the second PM you were able to solve it and were protected by Norton from the drive-by download! Unfortunately it looks like your site fell to the SQL injection attacks, but I am glad you were able to find it . Those domains that sound or look like common brand names are quite a problem.
There are a couple sites I use to keep an eye on the latest domains hosting potential malicious code. PM me if you want some of these sites.
Microsoft has a few papers that has some good tips and info for webmasters on protecting your sites. You can check that out here: Microsoft Developers article on SQL injection
Here is another article in the Register that talk about tips for webmasters. SQL injection tools
Let me know if you have any other problems.
John
"Doctor Drive-By"
Symantec Security Response
John, thanks for answering all my questions and for the advice you have offered and the reference links regarding SQL injection.
I can confirm that my websites were victim to SQL injection. An encrypted script was appended to all my Java Script files in my websites, which resolved to a URL of a spoof website that seems to mislead one to believing they are on the Google homepage. We still don't know what this page does, but I can confirm that Norton Internet Security protected me from the site. I am just worried about my users that don't have protection software, although I haven't had any complaints yet.
I can also confirm that there is no problem with Norton triggering on the Google Urchin, so no need for me to send you a screenshot. As I mentioned this was a spoof site missleading one to think it was connecting to Google Analytics. To all developers out there, don't make the same mistake as I did; look at the destination site URL closely, as they are missleading.
I informed my hosting company of what I had found in my website files, and they confirmed that one of their hosting accounts which share the same server as my sites had been compromised. The end effect is that a shell script was propably executed on the server, injecting malicious script into all .js files it could find. They have removed all traces of the script and taken measures to prevent this from happening again.
NY1986 - I would guess that your wife visited a website which had fallen prey to a similar case of SQL injection and Norton was doing its job of blocking it from executing. Hopefully those webmasters have found the problem and fixed it. You should be fine as long as your Norton is kept up to date.
Again, thank you for your time John.