03-09-2009, 08:36 PM
| ||||
| ||||
 Norton False Positive
Hi Trikkur, I visited the pokertrikz website (the home page first, and then the blog page) this morning at home and got a blocked attack message pop up from Norton Internet Security (NIS). This suprised me since the last thing I expect is the website trying to access my machine. I of course trust you and believe you to run an honest site, but I do need an explanation for the attempted intrusion. The details from NIS are given below concerning this matter. Details: Attempted Intrusion "HTTP MSIE7 Uninitialized Memory Code Exec" against your machine was detected and blocked. Intruder: www.pokertrikz.com(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1281. The link to the symantec website and their description of this is given below. The only thing of difference I note from their explanation is that I use firefox and not IE. However, it is concerning when they make the following statement concerning this intrusion type, Possible False Positives: There are no known false positives associated with this signature. HTTP MSIE7 Uninitialized Memory Code Exec: Attack Signature - Symantec Corp. A fairly quick response to this would be appreciated please. Cheers Zayphod  |
|
03-09-2009, 08:45 PM
| |||
| |||
Hi, There have not been any other reports of this and we've tested on IE7 as well. Has anyone else seen anything like this? If so please respond and send Joe or Me a PM with any information you can give us. What page did it occur on? What browser do you use? What AntiVirus? Anything you remember. Thanks |
|
03-09-2009, 08:47 PM
| |||
| |||
|
Nothing here.
|
|
03-09-2009, 08:51 PM
| ||||
| ||||
|
I use 1: Mozilla firefox 2: Norton Internet Security (is up to date) 3: First went to Free Poker Training | Online Poker Strategy 4: Went to blog page from the link in the homepage 5: Intrusion message Cheers Andrew |
|
03-09-2009, 08:55 PM
| ||||
| ||||
| Quote:
|
|
03-09-2009, 09:07 PM
| ||||
| ||||
|
Joe or Trikkur i don't mind if this post is deleted and we carry on via PM. So as not to freak people unnecessarily. I should have gone down the PM route in the first place. Sorry about that. To the general populace: DONT PANIC! I will, as Joe suggests, try and recreate this later when I get home (I am currently at work). Is it possible for a third party to make such an intrusion (if it is in fact a real intrusion attempt) and have it appear as if it is coming from a website I am visiting? Cheers |
|
03-09-2009, 09:29 PM
| ||||
| ||||
|
Hi Andrew, I think it's good to keep this thread open in the name of transparency!  The blog list page is something I coded myself and therefore I know there is nothing dodgy within it. I've done some quick googling on the exploit:- National Vulnerability Database (NVD)National Vulnerability Database (CVE-2009-0075) I don't know how technical you are, but to paraphrase the details in the above link: it seems that there was a bug in the way IE7 handled errors in deleted webpage elements and it was possible to make a webpage that could create/delete objects to force this to happen. Given that this vulnerability only existed in unpatched versions of IE7, and you weren't even running IE7 I am 99.999% confident that your machine is uncompromised and that this message is NIS throwing a false positive. Furthermore, this exploit does not work via an inbound dodgy connection back to your PC - it works by the webpage's Javascript exploiting IE's memory leaks and therefore allowing the webserver to run code on the user's machine. If there was a connection back to your PC, it would be very unlikely to be from port 80 (this is the standard WWW port). The port 1281 is actually the port on your machine that connected TO the webserver on port 80 - even though that error message makes it look like port 80 connected back to your machine. The only explanation I can think of is something caused an error in the process of deleting an object (maybe the homepage hadn't completely finished loading when you clicked on the List Blogs link) and NIS thought it was an attempt to exploit this bug in IE. What I don't understand is why I haven't seen it, as I run NIS and Firefox 3.07 and must have clicked around thousands of times since I started working on the site. Anyway I hope this relieves you somewhat Cheers Joe |
|
03-09-2009, 09:34 PM
| ||||
| ||||
|
Hi Joe, no dramas mate. It all sounds good. i will try and recreate it at home and see if I can get it to happen again. If it does I will give you the full details. Might be time for NIS to add a false positive to their list There is a good possibility that I did indeed try and log in before all was loaded. I have faith in the pokertrikz team and thank you and trikkur for your prompt responses. Cheers Zayphod (forget this Andrew cat...I dont know who he is) Last edited by zayphod; 03-09-2009 at 09:37 PM. Reason: someone called andrew keeps putting his name on my posts |
|
03-09-2009, 10:40 PM
| ||||
| ||||
|
Hi Trikkur or Joe, can you edit the title of this thread so it doesn't appear as "in your face" as it is now. i think Joe handled this really well and for the sake of transparency it should stay up as Joe said but the title can be downgraded a bit Cheers Zayphod |
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
