Go Bottom

ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-17          108159


Dennis or others, My intrusion software just started getting hit, the past 2 days, from:

pagead2.googlesyndication.com(64.233.167.99) (http80).

Is anyone else seeing this?

I also show its an attack by a computer on my network. I'm not networked, yet. With the conflicting info I am reluctant to disable the warning. I get warned everytime I click on a topic or move to and from previous it the topic section. I am not to concerned about a maliasious attack from TP but with the stuff happening I try to be very careful.

Is google just trying to see what I read or have you (Dennis) installed a new monitoring system?

TIA Harvey

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tractorpoint Operator Note:

Please DO NOT go out and install Symantec Internet Security 2005. Based on this report I made the fatal misstake of installing it on one of my backup machines that was working GREAT before the install. I am very &*%^*^(*^&&*^&* off at this point for doing what I intrinsically believed to be a misstake.

I was just trying to replicate Harvey's issue now I have problems. I noticed during the install of the &^*&^*&^ SW that it was going in too many areas for my liking.

Now I am paying the price losing alot of valuable data and time for *&*(&(*&*( darn it! Looks like I wil be foreced to rebuild the machine. BEWARE!!!!!!!

Dennis




Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
DennisCTB
Join Date: Nov 1998
Posts: 2707 NorthWest NJ
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-17          108162


Harvey I noticed a huge spike in site hits that I was investigating yesterday, hopefully just seasonal increase in volume. Can you send me a PM on this and info on the SW you are using, I need to track this down.

Update 3/20/2005:

I checked my log files and I do not see any iregularities.

Dennis ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-18          108204


Dennis I'm using Norton Internet Security, It updates daily.

The Security alert shows:

Intrusion: HTTP_ActivePerl_Overflow
Intruder: 0.0.0.0(3316)
Risk Level: Medium
Protocol: TCP.
Attacked IP: pagead2.googlesyndication.com(64.233.16...
Attacked Port:http(80)

I have looked at the secenarios and this could be a networked pc, but I do not have one. so it may be a computer trying to spoof the address.

Hell I don't know. I do wear glasses but I do not have a pocket protector yet! ;-0

The biggest RED FLAG is the address with part of a IP address.

I can call you or try to do this e-mail. You have my E-mail address.

Thanks Dennis
....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-18          108205



Dennis more of the info...













© 1995-2005 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy


HTTP_ActivePerl_Overflow
Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Attack Category: Suspicious Activity

Anomalous network conditions or traffic patterns. A suspicious activity signature, for example, might detect two systems with identical IP addresses, a condition that indicates an attempted IP spoofing attack.

Description

Older versions of ActivePerl on Windows have a buffer overflow vulnerability. An attacker can exploit this vulnerability to execute arbitrary code at the privilege level of the Web server process. This signature detects attempts to exploit the ActivePerl vulnerability through HTTP.

Links

CAN-2001-0815

BID 3526

Vulnerable Components

Activestate ActivePerl Version 5.6.1.629 and earlier on Windows

False Positive

This signature may not indicate malicious intent if ActivePerl versions other than those listed above are used or ActivePerl is not used at all. In this case, you can exclude this signature from monitoring.




....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
denwood
Join Date: Jul 2004
Posts: 542 Quarryville PA
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster

2005-03-19          108343


I got the same warnings today at work where our computer is better protected than at home. It was very annoying because it happened at least 5 times in 10 minutes. My home computer doen't have the same protection so I don't know if it is happening here. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
ksmmoto
Join Date: Jan 2004
Posts: 41 Central Lower Michigan
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-19          108345


I got the same warnings above ActivePearl from my Norton Internet Security. Always between 10:30 pm and 12:30 am every night since Tuesday. Nothing yet tonight however. This is the time I have been on Tractor Point.

The Internet was very slow on 3/17/05, maybe going around. My Norton gave a warning that it updated for Immediate Threats.

ksmmoto ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
ksmmoto
Join Date: Jan 2004
Posts: 41 Central Lower Michigan
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-19          108347


I just got hit! At 11:03 pm and 11:53 pm. I always get hit twice and then no more. I was on this site and others during that time.

ksmmoto ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
ksmmoto
Join Date: Jan 2004
Posts: 41 Central Lower Michigan
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-19          108348


Change my last post! Just got a third hit. I am done for a while tonight on Tractor Point, but will be online. I will come back lator and report if I get hit when I am not on TP.

ksmmoto ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108352


The best that I can come up with is: Google at IP 64.233.167.99 is trying to follow any and all posts we view and or their ad links.

It is frustrating that they are this persistant however I am goin to keep them blocked.

3/16/200 was their first atempt at comming in the backdoor and they have been at it since on this site.

My software is set fairly secure so there are quite a few web sites that will not allow my visit.

Only very trusted sites will I allow cookies and or their backdooring into my PC. Currently I have 242 addresses that are allowed in the backdoor most of those are multipule pages from the same web.Maybe I need to spend some time today reviewing them...

I trust TP (Dennis) but I do not trust Google (backdooring me) even if they do have the best search engine. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
DennisCTB
Join Date: Nov 1998
Posts: 2707 NorthWest NJ
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108357


I have an request into google on this, and I am waiting for a reply.

Here is my theroy on this, which is just conjecture at this point. The Google ads I have are what are called context sensitive ads. I think that these are not attacks on your desktops at all, rather what Google does in their script is try to review the TP page content before serving the context sensitive ads. Unfortunately all of the pages on Tractorpoint are dynamic content, there are almost no static content pages on the site. Therefore Google has to scan the pages each time. Now if you have some extremely sensitive SW on your PC you may be picking this up.

On my machine I have Norton with the latest virus files. And I do not see anything when I browse the site.

I will get back to you when I hear from Google, also to be able to analyze this more I will need some more info about any free SW you are using so that I can attempt to replicate the problem myself.

Dennis ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108358


Dennis I'm running Norton Internet Security 2004 up dated to 2005.

Security is: on
personal FW: on
Intrusion Detection: on
(notify me when ID blocks connection box checked)
(auto block is: on)
Block Traffic is: on
Privacy control is: on (medium)
Ad blocking is: on (default)

Sorry to be a pain but these just started 3/16. Either my setting got changed at that update or Google has changed their operation at that point.

....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
DennisCTB
Join Date: Nov 1998
Posts: 2707 NorthWest NJ
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108370


Tractorpoint Operator Note:

Please DO NOT go out and install Symantec Internet Security 2005. Based on this report I made the fatal misstake of installing it on one of my backup machines that was working GREAT before the install. I am very &*%^*^(*^&&*^&* off at this point for doing what I intrinsically believed to be a misstake.

I was just trying to replicate Harvey's issue now I have problems. I noticed during the install of the &^*&^*&^ SW that it was going in too many areas for my liking.

Now I am paying the price losing alot of valuable data and time for *&*(&(*&*( darn it! Looks like I wil be foreced to rebuild the machine. BEWARE!!!!!!!

Dennis
....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
bvance
Join Date: Jul 2004
Posts: 280 The Great Pacific NorthWet, Olympia, WA
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108379


Dennis,

I have been running Symantec Internet Security 2005 (and all of it's predecessors) for the last 3 months or so and it has been working great.

I have been gone for a week and signed on to the internet and did my normal stuff for an hour or so and as soon as I signed on the Tractor Point, I also got the message of an attack. I have been on the internet for several hours since and as soon as I go back to TP, I get an attack....solution coming? ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
DennisCTB
Join Date: Nov 1998
Posts: 2707 NorthWest NJ
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108380


The fix as far as I can see is to disable the Symantec product. I can tell you now that I had to resinstall my operating system because of it (Norton Internet Security 2005) I will not be looking into this any further from that regard (ie installing that product anywhere).

....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
DennisCTB
Join Date: Nov 1998
Posts: 2707 NorthWest NJ
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108381


From my perspective this is a false alert. If someone disagrees exactly what if anything is happening to your PC from the supposed attack? ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
kwschumm
Join Date: Feb 2003
Posts: 5764 NW Oregon
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108382


I wouldn't install Symantec/Norton anything on my machines. They pollute the registry and waste too many clock cycles doing a mediocre job. Products have been written specifically to clean up after the mess they leave behind. Even uninstalling them can do bad things. Yech. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
Chief
Join Date: Jul 2003
Posts: 4297 Southwest MiddleTennessee
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108384


Norton TOTALLY sucks! It will screw up the Window INI files not to mention nearly impossible to totally remove once installed. DO NOT use it! I did and paid the price too. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
Casco1
Join Date: Aug 2004
Posts: 9 Eastern Mass.
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster

2005-03-20          108385


Hey Guys, At the risk of sounding like a jerk, I had to chime in. Being a Macintosh user i'm curious, What's a virus? Sorry but I couldn't help that. Hope you get things straightened out. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
kwschumm
Join Date: Feb 2003
Posts: 5764 NW Oregon
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108393


Yeah, windows is pretty crappy. Nobody has written a virus on QNX either, which is what I develop on, but the application base is pretty small on that OS. Sort of like a Mac. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108395


Sorry Dennis about your misfortune. I've used Norton for several years. It has never let me down. I do agree it does get into many places I may not need it. However that's, in my opinon, a cost of having to many people with to much time on their hands to write malicious code.

The 2005 version has been on my PC for over 6 months now so it's not 2005. It could be a daily update but I doubt it. It has something to do with google looking in.

Google is a fine company I am sure, I think it is the best engine out there. But why all of a sudden do they need to see what we are looking at here.

What is a good quality security software.

....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
kwschumm
Join Date: Feb 2003
Posts: 5764 NW Oregon
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108396


I don't know what all Norton Security is supposed to do, but I use AVG for virus (far better than Norton) and both Spybot S&D and Spyware blaster for spyware control. I also use ZoneAlarm for a firewall, but since I have a hardware firewall ZoneAlarm hasn't got much to do. I've also heard good things about Avast for viruses but have no personal experience with it. BTW, when I dumped NAV and installed AVG it found a half dozen viruses that got by NAV. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
bvance
Join Date: Jul 2004
Posts: 280 The Great Pacific NorthWet, Olympia, WA
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108397


To blame this problem totally on Norton is a cop-out. Norton may have some issues (as any developed software does) but it does the job it was designed for.

To blast Norton in my opinion is no different than a Kubota guy slamming Deere. There's good and bad in both and it usually just boils down to personal opinion, likes and dislikes. There are a lot of large companies using Norton and doing just fine with it. Again, as with most software issues, it's how you configure it do what it's supposed to do. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
DennisCTB
Join Date: Nov 1998
Posts: 2707 NorthWest NJ
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108409


Ok guys here is the response from my contact at Google:

"Thank you for your patience while we investigated this issue. Please rest assured that Google is not attempting to attack any of your customers computers in any way. In fact, Google has strong principles that advocate against any type of software that behaves like this; for more information, please visit: http://www.google.com/corporate/software_principles.html

While researching your question, I noticed that the Google server mentioned in the alert is pagead2.googlesyndication.com . This sever is used by our AdSense program to display relevant advertisements on partner websites. Please note, however, that in this instance "pagead2.googlesyndication.com" is being shown under the "Attacked IP" and not as the attacker.

You may also wish to refer to Symantec's help site at:

http://securityresponse.symantec.com/avcenter/nis_ids/sigs/http_activeperl_overflow.html

in order to determine if this alert is a false positive.

Please also understand that specifically, Norton Personal Firewall 2004 and Norton Internet Security 2004 both contain an 'ad blocker' feature. This feature is enabled by default, and will need to be disabled in order to properly view Google ads. If your users have this feature enabled within their security products, they may be having difficulty viewing the Google ads on your pages. Please contact Norton directly for further information or assistance regarding this feature.

Please feel free to reply to this email if you have additional questions
or concerns."


I hate to say it, but as my own computer was completely wiped trying to be the nice guy analyzing this, I think I can say this is one of those RTFMA cases no disrespect intended. As so often happens when overdoing anything, it can lead to less than optimum results.

In regards to Norton, I use their anitivirus and I have no problems with it. This internet security package crashed my machine causing me to have to reinstall the operating system and all my SW so I am not so happy with it, your experience may be different. At least I was smart enough to recognize that this could be dangerous, and used my older machine to install. Wow was I lucky!!!!!!!!

Best Regards to all,

Dennis
TractorPoint.com Operator

....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
kwschumm
Join Date: Feb 2003
Posts: 5764 NW Oregon
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-20          108420


bvance, I don't think anyone blamed Norton for the problem related in this thread. Yes, NAV mostly works, but other products work better.

You're right, Symantec has lots of corporate customers - customers that have big budgets and IT staffs that are paid to fix problems and restore from backups. But there are better products. In my experience you could install AVG on almost any Norton protected internet connected computer and find viruses that NAV missed. But, hey, that's the corporate IT staffs responsibility. For home users a more reliable product is called for. IMHO of course, you're free to disagree and use and recommend whatever you want. ....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
ksmmoto
Join Date: Jan 2004
Posts: 41 Central Lower Michigan
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-21          108425


I am using Norton Internet Security 2005 and I do have popup's blocked. Also blocked by Google Toolbar and Windows XP SP2. It was never a problem, just showed up as an intrusion attempt.

I am going to build a network soon, have four computers now in the house and I have a Linksys Firewall Router that will provide hardware protection.

Sorry to hear about your computer Dennis. You never know what will happen. I like Norton much better than the McAfee I used to use, but that was several years ago on Windows 95.

I had to reinstall everything on this Dell Laptop I am using in January. It had an error that corrupted the hard drive. I was backed up, but had not updated in a week so I was behind. Know I am kind of crazy about backups, have everything on two internal HD's, one external HD, DVD and memory sticks!

ksmmoto

....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo



ATTACKED IP from Google on TP

View my Photos
harvey
Join Date: Sep 2000
Posts: 1550 Moravia, NY
TractorPoint Premium Member -- 5 Tractors = Very Frequent Poster  View my Photos  Pics

2005-03-21          108431


I have just added Google to my unrestricted access file. Site works fine. I'll monitor that file also.

Also in reguards to the ad blockers. The pop-ups are a bigger PITA than the having to allow traffic. I remember years ago seeing my task bar so filled up it took 5+ minutes to clear it from all the garbage.

It really gets boring listening to your we're so small nobody bothers us.


Lets hope you guys running apples and other operating systems get to the point where idle minds with creativity decide to start on someone besides MS. That would be a good thing. More SW developers having to design all new virus SW. Another whole new industry in the works.
....


Reply to | Quote Post Reply to PostQuote Reply | Add PhotoAdd Photo


   Go Top


Share This







Member Login