Posted on 07/01/2004 9:36:01 AM PDT by cgk
This morning, while accessing FR (browsing, and then again clicking my FR pager, the pop-up window), another intrusion attempt, this time I recorded the details which you can see a portion of above (it wouldn't let me copy the whole Norton screen).
It said FR was the source. This has never happened before and I've been using Norton for awhile, and the FR pager forever. Any ideas on how to work around this, or determine what the problem is? Thank you!
ping... thanks!
Past two days; I received similar when going to "list older threads". "Page not displayed". Three times. Suggests it's a live "assault" as opposed to a bot-routine.
It seems to have only happened to me when using the FR pager... how did you get around it? Just accept the attempt?
Hmmmmm. Ping.
BTW - I am on FR again now because I rebooted my pc. I could not access FR otherwise. And I've skipped using the "pager" until I know what to do. :)
I have Norton, but I never use pager,
and have not had any problem with FR
via Norton.
Thanks for the post. I use norton too but have never encountered any problem like this.
The IP seems to match FR's, but it seems unlikely that MSSQL was involved.
PestPatrol Shares Spyware Lessons ( Company will offer database of known... free.)
This is a resource thread, not an answer thread. It gives an idea of the magnitude and variety of the threats!!!
That's the strange thing. I've had Norton Internet Security for a short while now and this is the first time it's ever happened. Twice in 12 hours or so.
I don't even know what MSSQL is ;)
I'm just guessing. I use Sygate Personal Firewall and for antivirus I use AVG since it's been documented a number of times in PC Magazine that Nortons antivirus and firewall software products produce "false positives" on numerous occasions.
It is a null packet related to SQL, probably a harmless frame used in database queries. Accept it and choose not to notify in the future.
MSSQL is Microsoft's SQL server.
Not from Microsoft themselves, but MSSQL is the Microsoft based SQL (database) server.
I think that is the SQL (Relational Database )
Did the page you were viewing have pictures?
Thank you for the clarification. I've heard that about norton also... ran a Housecall scan the other day in fact because Norton came up empty but I have a file I can't delete and read it could be a worm or some sort. Housecall came up empty also, so I assumed it was wrong, but I still have this 0 byte folder I can't get rid of. Even downloaded MoveOnBoot, no fix.
A couple of months ago I kept getting strange pop-ups while on FR. I think there was a discussion on it also. No problem lately but at the time it did not affect all.
Thank you... reading it now. (wow, extensive!!!)
Change to Arial font because it is easier to read.
Possibly? It was trying to open "my comments" via the pager, which opens fine now, but there are pics in the page...
If the file or folder is in use by the system as a background task process, Windows won't let you delete it until you close the program or end the process in the task manager.
Good idea.
Norton Internet Security is known to be "highly strung" when it comes to issuing alerts. The usual advice is to set it to report only alerts of a critical nature, which should eliminate bogus alerts like the one you encountered here.
That's what I would recommend. Any non-threatening alert would spook any "newbie" into thinking some intruder is snooping around inside the computer.
Garde la Foi, mes amis! Nous nous sommes les sauveurs de la République! Maintenant et Toujours!
(Keep the Faith, my friends! We are the saviors of the Republic! Now and Forever!)
LonePalm, le Républicain du verre cassé (The Broken Glass Republican)
The latest thing in spyware is to attach it to a .jpg or like file so that when it is accessed it loads the spyware.
It's possible that a linked picture had spyware embedded in it.
Okay... I opened the settings, and the personal firewall settings are on "medium (recommended)". Although you see it notified me to the low threat above. Should I change it to "high" only?
LOL! Using Mozilla since the reboot.
The Norton screenshot does not show a port number, but according to the tcpdump utility on Mac OS X, the FR pager is sending traffic to port 51524.
That's the usual recommendation if you don't want to be bugged by non critical alerts.
Since I restarted, I can't find the details of the last "attack". It wiped them all. If it happens again, I'll look for the port # and see if it's the same.
I guess what I am trying to say is, for example, the first time I run an application, Sygate asks me if I want that application to have access to the internet, I check "Remember my answer" and click Yes. From that point on, I can open my browser and Sygate remembers that I wanted the browser to be able to access the web and doesn't need to ask me again since I told it to remember my answer.
Otherwise, if I clicked yes without checking the box, it asks me everytime I open the browser.
Thank you to all of you who have tried to help me with this!
Okay... I have Mozilla 1.6. I just read their FAQ and I will download Firefox now. I am pretty sure that both occurrences happened when I was using IE. Old habits are hard to break and all that. Based on what Ernest said on the other thread he linked to in #10, it looks like I need to download some more stuff. (adaware doesn't seem to be enough).
I just tried the FR pager again in both IE and Mozilla and nothing happened. It may be what Bikers said - a picture with something embedded from some thread somewhere, although it won't repeat itself (Good!!!!).
I'll reset my firewall to high and see how that works.
Hopefully this thread will fizzle. Meaning no more problems for me or anyone else. ;)
Thanks to FReepers, I moved to Mozilla Firefox yesterday.
Your machine chooses an unused local port when it makes its "call" to FR. 51,524 or any of about 30,000 to 60,000 other possibilities. Sometimes it chooses a port that is known (to the firewall) to be used by some service (such as MSSQL) and because some firewalls are less than intelligent, not knowing or caring from where the connection originates (the local machine), they sniff any old traffic with abandon, and occasionally squawk when they sample a known exploit signature (just a string of bytes not necessarily representing malice.)
Imagine the same firewall software configured to alert whenever it sees "cat." (Advocated by dog enthusiasts, no doubt a critical alert.) It now constantly goes off on any -cat- word: advocate, allocate, catalog, vacation, etc. This is basically how the exploit detection mechanism works, it's just looking for a pattern of bits, sometimes in a particular place (the third through fifth letters perhaps in the cat example--alerting on vacation but not catalog), sometimes it doesn't have the luxury of specific location, and searches the entire packet.
Some problems of false positives can be alleviated switching to a "smart" firewall: a stateful one. Especially smart firewalls "speak" the application protocols--to decipher the meaning of the packet (effectively knowing that vacation is not feline, don't alert.)
You really do explain this well, and of course, I've got to ask you why, suddenly, similar experiences -- sort of a web page server "broken window" type of system error? Could it have just been a sequence of "cat" appearing on a thread/post page, activating port unreponses, possibly in ports configured similarly?
Are you logged in?
Opera? I've not heard of this before. I'll take a look. Thanks for the recommendation.
Structured Query Language
I am afraid that I will not be able to use certain web sites that I need for business if I only use Mozilla.
Garde la Foi, mes amis! Nous nous sommes les sauveurs de la République! Maintenant et Toujours!
(Keep the Faith, my friends! We are the saviors of the Republic! Now and Forever!)
LonePalm, le Républicain du verre cassé (The Broken Glass Republican)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.