Dangerous Internet

Discussion in 'Computer Science & Culture' started by Bowser, Oct 22, 2011.

Thread Status:
Not open for further replies.
  1. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    I was visiting SciForums today and my internet security (Norton) informed me that there was an intrusion attempt on my computer. I would post the URL here but the program wont let me copy it. This is a curiosity because my daughter's netbook was recently infected and I had to reload the OS from the recovery partition. We were unaware of the infection until receiving notification from our ISP.

    Since our security software subscription is nearly over, I've been looking at Microsoft's Security Essentials as a replacement. Does anybody have any experience with this software?
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. MacGyver1968 Fixin' Shit that Ain't Broke Valued Senior Member

    Messages:
    7,028
    I've been using the free version of AVG for ages...so far it's been doing a pretty good job.
     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    Yeah, I downloaded a copy on a memory stick while trying to disinfect my daughter's netbook. I'm sorry to say it didn't get everything. So I just reloaded the system from the recovery partition. We're lucky that it was my daughter's computer that was infected and not the one my wife and I use. All she lost were some pictures, but most of those are posted on FaceBook.
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. leopold Valued Senior Member

    Messages:
    17,455
    this is the second time in about a month infections from sciforums has been reported.
     
  8. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    I'm not sure it came from SciForums. The warning popped up when I loaded the SciForums page. I'll try to reproduce the info that my security software provided...



    IPS Alert Name -- Web Attack: Malicious Exploit kit Website 3
    Attacking Computer -- 76.74.152.98, 8080
    Attacking URL -- 1279957090:8080/trk12/GdvyZzfjxi
    Traffic Description -- TCP, http-proxy

    "The attack was resulted from DEVICE\HARDDISCKVOLUME2\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE"

    I think that's it. I wish the software would allow me to copy. :shrug:
     
  9. leopold Valued Senior Member

    Messages:
    17,455
    from my IPINFO applet:

    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=76.74.152.98?showDetails=true&showARIN=false&ext=netref2
    #


    # start

    NetRange: 76.74.152.0 - 76.74.159.255
    CIDR: 76.74.152.0/21
    OriginAS: AS13768
    NetName: PEER1-SERVERBEACH-07A
    NetHandle: NET-76-74-152-0-1
    Parent: NET-76-74-128-0-1
    NetType: Reallocated
    RegDate: 2007-09-12
    Updated: 2009-12-23
    Ref: http://whois.arin.net/rest/net/NET-76-74-152-0-1

    OrgName: ServerBeach
    OrgId: SERVE-32
    Address: Suite 425 600 West 7th Street
    City: Los Angeles
    StateProv: CA
    PostalCode: 90017
    Country: US
    RegDate: 2007-01-19
    Updated: 2007-04-03
    Ref: http://whois.arin.net/rest/org/SERVE-32

    OrgAbuseHandle: SNAE-ARIN
    OrgAbuseName: Serverbeach Network AUP Enforcement
    OrgAbusePhone: +1-604-484-2588
    OrgAbuseEmail: abuse@serverbeach.com
    OrgAbuseRef: http://whois.arin.net/rest/poc/SNAE-ARIN

    OrgTechHandle: ZZ4092-ARIN
    OrgTechName: IP Admin
    OrgTechPhone: +1-210-225-4725
    OrgTechEmail: ipadmin@serverbeach.com
    OrgTechRef: http://whois.arin.net/rest/poc/ZZ4092-ARIN

    RAbuseHandle: SNAE-ARIN
    RAbuseName: Serverbeach Network AUP Enforcement
    RAbusePhone: +1-604-484-2588
    RAbuseEmail: abuse@serverbeach.com
    RAbuseRef: http://whois.arin.net/rest/poc/SNAE-ARIN

    RTechHandle: HOSTM325-ARIN
    RTechName: Hostmaster
    RTechPhone: +1-210-225-4725
    RTechEmail: hostmaster@serverbeach.com
    RTechRef: http://whois.arin.net/rest/poc/HOSTM325-ARIN

    RNOCHandle: ZZ4092-ARIN
    RNOCName: IP Admin
    RNOCPhone: +1-210-225-4725
    RNOCEmail: ipadmin@serverbeach.com
    RNOCRef: http://whois.arin.net/rest/poc/ZZ4092-ARIN

    # end


    # start

    NetRange: 76.74.128.0 - 76.74.255.255
    CIDR: 76.74.128.0/17
    OriginAS:
    NetName: PEER1-BLK-10
    NetHandle: NET-76-74-128-0-1
    Parent: NET-76-0-0-0-0
    NetType: Direct Allocation
    RegDate: 2007-04-04
    Updated: 2007-11-19
    Ref: http://whois.arin.net/rest/net/NET-76-74-128-0-1

    OrgName: Peer 1 Network Inc.
    OrgId: PER1
    Address: 75 Broad Street
    Address: 2nd Floor
    City: New York
    StateProv: NY
    PostalCode: 10004
    Country: US
    RegDate:
    Updated: 2010-07-22
    Ref: http://whois.arin.net/rest/org/PER1

    OrgAbuseHandle: NSA-ARIN
    OrgAbuseName: Peer 1 Network AUP Enforcement
    OrgAbusePhone: +1-604-484-2588
    OrgAbuseEmail: abuse@peer1.net
    OrgAbuseRef: http://whois.arin.net/rest/poc/NSA-ARIN

    OrgTechHandle: ZP55-ARIN
    OrgTechName: PEER 1 Network Inc
    OrgTechPhone: +1-604-683-7747
    OrgTechEmail: net-admin@peer1.net
    OrgTechRef: http://whois.arin.net/rest/poc/ZP55-ARIN

    RAbuseHandle: NSA-ARIN
    RAbuseName: Peer 1 Network AUP Enforcement
    RAbusePhone: +1-604-484-2588
    RAbuseEmail: abuse@peer1.net
    RAbuseRef: http://whois.arin.net/rest/poc/NSA-ARIN

    RNOCHandle: ZP55-ARIN
    RNOCName: PEER 1 Network Inc
    RNOCPhone: +1-604-683-7747
    RNOCEmail: net-admin@peer1.net
    RNOCRef: http://whois.arin.net/rest/poc/ZP55-ARIN

    RTechHandle: ZP55-ARIN
    RTechName: PEER 1 Network Inc
    RTechPhone: +1-604-683-7747
    RTechEmail: net-admin@peer1.net
    RTechRef: http://whois.arin.net/rest/poc/ZP55-ARIN

    # end


    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
     
  10. Bowser Namaste Valued Senior Member

    Messages:
    8,828
  11. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    So, what do I do? Do I send somebody an email and let them know something is up?
     
  12. leopold Valued Senior Member

    Messages:
    17,455
  13. leopold Valued Senior Member

    Messages:
    17,455
    i checked my firewall logs for inbound attacks and the IP you listed isn't there.

    maybe the IP is legit and someone has used it as a "pass through".

    stryder knows way more about this stuff than i do.
     
  14. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    Interesting... I can't imagine why anybody would go through so much trouble. What do they hope to accomplish?
     
  15. leopold Valued Senior Member

    Messages:
    17,455
    using a host computer to infect other computers and not be traced back to the originating computer.

    my guess is maybe the infecting computer has your information in its address book and the infecting program used that information to infect yours.

    or maybe some kind of distributed attack.

    honestly i have no clue, i'm not into this type of stuff.

    why would someone do this?
    same reason they climb mt. everest, "because it's there".
    it could very well be a plug-in you have for firefox too.

    like i said, stryder knows this stuff better than i do.
    all i can do is throw out guesses.
     
  16. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    I ran my anti-virus program and all it found were cookies. I did upgrade my FireFox not too long ago. Everything looks to be running as it should.

    Things were so much easier with Linux.
     
  17. C C Consular Corps - "the backbone of diplomacy" Valued Senior Member

    Messages:
    3,324
    Microsoft has its Malicious Software Removal Tool regularly downloaded into a Windows OS via its automatic updates every month. You can manually activate it by typing mrt.exe in the "Run" command of the Start Menu.

    If you're switching to free programs (whether MSE, AVG, or Avast for the antivirus), then add the free versions of either Malwarebytes or Superantispyware (or both) for running second-opinion scans. Remember to update the definitions of the latter before a scan, though, since their free versions don't do that automatically (usually a reminder is default activated, anyway).
     
  18. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    What you likely had was an anti-virus program flagging a "potential" exploit attempt.

    I would query if you were logged into sciforums or if you were actually viewing it while not logged in. I would assume it was the latter, as it's known that Hackers attempt to exploit advertisement companies that allow adverts to be shared across multiple websites.

    They can lead to a number of potential exploit attempts from standard X-Scripting attacks manipulating DOM privileges, to attempted script injections on some systems. Most of the time the exploits are well known and the anti-virus program you use will do it's job removing and blocking the problem, the exploits you'd really worry about are "0-day" exploits but they are pretty rare, as once they have been observed they get looked at, catalogued and patched against.

    (The most recent record Sciforums virus alert was actually due to an image that had been housed on somewhere like imageshack that had a Javascript entry embedded into it's encoded file, however it's very rare that it would of executed since image files are pre-processed rather than just interpreted as standard)

    It pretty much states "http-proxy" and considering it was using the 8080 port commonly assigned to proxies, you can pretty much guess that it was identifying a "man in the middle" concern, some content being viewed was likely claiming to be from somewhere else, this would allow any cookies set to be viewed by the middle man and any entries you make to the end-point website observed. (One of the main reasons you should never use a banking website outside of a security tunnel, but even they can be only "half-pipes" where the tunnelled page can be accessed on a standard HTTP protocol.)
     
  19. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    That last part is a little disconcerting because we often view our bank statements online, and often pay our bills online. I should call my bank and ask about their online security. Thanks for the info.
     
  20. James R Just this guy, you know? Staff Member

    Messages:
    39,397
    Stryder:

    Banking websites usually used the https protocol rather than straight http.

    Would those be safe?
     
  21. nietzschefan Thread Killer Valued Senior Member

    Messages:
    7,721
    Not always James, even HTTPS can be spoofed by man in the middle attacks. For the ultra paranoid, like me...learn your bank's website IP and use that in the browser or read every single security certificate you get from the bank's site.
     
  22. Bowser Namaste Valued Senior Member

    Messages:
    8,828
    Our bank sends us emails before they transfer large sums of money from our account. When my wife paid her large Visa bill online, they notified us and gave us time to cancel the transaction.
     
  23. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    HTTPS is suppose to be safer, *IF* it's configured correctly with the server and the server ignores or denies any files being accessed through just HTTP that are meant for HTTPS and the servers CERTS are properly maintained.

    HTTPS is really just for Obfuscation and shouldn't be totally relied upon to encrypt data. I guess you can say it's just one layer of security, not the answer to security concerns.
     
Thread Status:
Not open for further replies.

Share This Page