|
|
|
ATTACKED IP from Google on TP
Dennis or others, My intrusion software just started getting hit, the past 2 days, from:
pagead2.googlesyndication.com(64.233.167.99) (http80).
Is anyone else seeing this?
I also show its an attack by a computer on my network. I'm not networked, yet. With the conflicting info I am reluctant to disable the warning. I get warned everytime I click on a topic or move to and from previous it the topic section. I am not to concerned about a maliasious attack from TP but with the stuff happening I try to be very careful.
Is google just trying to see what I read or have you (Dennis) installed a new monitoring system?
TIA Harvey
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tractorpoint Operator Note:
Please DO NOT go out and install Symantec Internet Security 2005. Based on this report I made the fatal misstake of installing it on one of my backup machines that was working GREAT before the install. I am very &*%^*^(*^&&*^&* off at this point for doing what I intrinsically believed to be a misstake.
I was just trying to replicate Harvey's issue now I have problems. I noticed during the install of the &^*&^*&^ SW that it was going in too many areas for my liking.
Now I am paying the price losing alot of valuable data and time for *&*(&(*&*( darn it! Looks like I wil be foreced to rebuild the machine. BEWARE!!!!!!!
Dennis
|
|
 Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
Harvey I noticed a huge spike in site hits that I was investigating yesterday, hopefully just seasonal increase in volume. Can you send me a PM on this and info on the SW you are using, I need to track this down.
Update 3/20/2005:
I checked my log files and I do not see any iregularities.
Dennis
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
Dennis I'm using Norton Internet Security, It updates daily.
The Security alert shows:
Intrusion: HTTP_ActivePerl_Overflow
Intruder: 0.0.0.0(3316)
Risk Level: Medium
Protocol: TCP.
Attacked IP: pagead2.googlesyndication.com(64.233.16...
Attacked Port:http(80)
I have looked at the secenarios and this could be a networked pc, but I do not have one. so it may be a computer trying to spoof the address.
Hell I don't know. I do wear glasses but I do not have a pocket protector yet! ;-0
The biggest RED FLAG is the address with part of a IP address.
I can call you or try to do this e-mail. You have my E-mail address.
Thanks Dennis
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
Dennis more of the info...
© 1995-2005 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
HTTP_ActivePerl_Overflow
Severity: Medium
This attack could pose a moderate security threat. It does not require immediate action.
Attack Category: Suspicious Activity
Anomalous network conditions or traffic patterns. A suspicious activity signature, for example, might detect two systems with identical IP addresses, a condition that indicates an attempted IP spoofing attack.
Description
Older versions of ActivePerl on Windows have a buffer overflow vulnerability. An attacker can exploit this vulnerability to execute arbitrary code at the privilege level of the Web server process. This signature detects attempts to exploit the ActivePerl vulnerability through HTTP.
Links
CAN-2001-0815
BID 3526
Vulnerable Components
Activestate ActivePerl Version 5.6.1.629 and earlier on Windows
False Positive
This signature may not indicate malicious intent if ActivePerl versions other than those listed above are used or ActivePerl is not used at all. In this case, you can exclude this signature from monitoring.
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
I got the same warnings today at work where our computer is better protected than at home. It was very annoying because it happened at least 5 times in 10 minutes. My home computer doen't have the same protection so I don't know if it is happening here.
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
I got the same warnings above ActivePearl from my Norton Internet Security. Always between 10:30 pm and 12:30 am every night since Tuesday. Nothing yet tonight however. This is the time I have been on Tractor Point.
The Internet was very slow on 3/17/05, maybe going around. My Norton gave a warning that it updated for Immediate Threats.
ksmmoto
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
I just got hit! At 11:03 pm and 11:53 pm. I always get hit twice and then no more. I was on this site and others during that time.
ksmmoto
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
Change my last post! Just got a third hit. I am done for a while tonight on Tractor Point, but will be online. I will come back lator and report if I get hit when I am not on TP.
ksmmoto
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
The best that I can come up with is: Google at IP 64.233.167.99 is trying to follow any and all posts we view and or their ad links.
It is frustrating that they are this persistant however I am goin to keep them blocked.
3/16/200 was their first atempt at comming in the backdoor and they have been at it since on this site.
My software is set fairly secure so there are quite a few web sites that will not allow my visit.
Only very trusted sites will I allow cookies and or their backdooring into my PC. Currently I have 242 addresses that are allowed in the backdoor most of those are multipule pages from the same web.Maybe I need to spend some time today reviewing them...
I trust TP (Dennis) but I do not trust Google (backdooring me) even if they do have the best search engine.
|
|
Add Photo
Bookmarks: |
|
|
|
|
ATTACKED IP from Google on TP
I have an request into google on this, and I am waiting for a reply.
Here is my theroy on this, which is just conjecture at this point. The Google ads I have are what are called context sensitive ads. I think that these are not attacks on your desktops at all, rather what Google does in their script is try to review the TP page content before serving the context sensitive ads. Unfortunately all of the pages on Tractorpoint are dynamic content, there are almost no static content pages on the site. Therefore Google has to scan the pages each time. Now if you have some extremely sensitive SW on your PC you may be picking this up.
On my machine I have Norton with the latest virus files. And I do not see anything when I browse the site.
I will get back to you when I hear from Google, also to be able to analyze this more I will need some more info about any free SW you are using so that I can attempt to replicate the problem myself.
Dennis
|
|
Add Photo
Bookmarks: |
|
|
|
Gas Generator Weather Protecti
03-17-2005, 03:48 
Digg It 
Del.icio.us 
