Norton's shutdown my SatGuys connection due to possible "attack"?

[Dishpointer]

Good question. The only thing I saw different than the other posts was GoalieBobs sat table files. I have no idea what caused the problem but that was the only thread that gave me an intrusion warning flag. Let me know if you find anything out.

 

[beast37799]

i have yet to have a problem with the norton software .however i did have a problem with the aol security center with macaffe software nothing but a problem. Kept saying the update wasnt taken and kept freezing my comp

 

[waltinvt]

I am with you Walt, the vast majority of users have no issues with Norton; but it evokes the same chatter as Sony, Microsoft, and other haters for any number of reasons. I have used them since the early 90's and tried others with horrid results. Most times it has less to do with the actual product and more because of the name or costs. If you like it and it works well then you are fine; just have to find out what exactly is tripping you. I also visited the link you posted, it popped right up with no wait time and gave no errors.

Do you have all the latest Service Packs/Updates/Patches for your OS?

Use IE to check these pages.

http://www.microsoft.com/technet/security/bulletin/MS05-036.mspx - result based on your specific error

http://windowsupdate.microsoft.com/ - Windows Update

OK, I checked both sites. This is what Microsoft says:

Executive Summary:
This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.
A remote code execution vulnerability exists in the Microsoft Color Management Module because of the way that it handles ICC profile format tag validation.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
We recommend that customers apply the update immediately.


I apparently didn't have that particular update (it was the only one I needed) and it sounds like someone was actually trying to access my computer through this site, using this vulnerability.

I now have the update, so we'll see if it happens again.

Thanks again Charper.

 

[Dishpointer]

Thanks Walt. I don't know if I have that update. I will check tonight and get it fixed. I hope those crafty hackers we had a problem with in the past arn't up to devious things again.

 

[waltinvt]

Thanks Walt. I don't know if I have that update. I will check tonight and get it fixed. I hope those crafty hackers we had a problem with in the past arn't up to devious things again.

Well it happened again. Different thread this time though. NIS flagged it and shut down my SatGuys connection for 30 minutes.

I'm beginning to wonder if it's related to certain threads I've been active in but I'd like to be sure before I say more.

I wonder if there's a way one of the moderators can monitor someone's activity here and see what exactly is happening when this occurs.

 

[Scott Greczkowski]

Walt you have a stange computer. Anytime there is something strange reported its you and your computer.

We don't monitor stuff like that and can't monitor stuff like that.

I do know there are thousands of people who use SatelliteGuys with Norton Internet Security and you are the only one reporting this issue. I have gone through and done two security scans on our servers and see nothing wrong.

I wish I had more to tell you but I don't. Uninstall NIS and try something like ZoneAlarm, or even Microsofts new Defender.

 

[waltinvt]

Walt you have a stange computer. Anytime there is something strange reported its you and your computer.

We don't monitor stuff like that and can't monitor stuff like that.

I do know there are thousands of people who use SatelliteGuys with Norton Internet Security and you are the only one reporting this issue. I have gone through and done two security scans on our servers and see nothing wrong.

I wish I had more to tell you but I don't. Uninstall NIS and try something like ZoneAlarm, or even Microsofts new Defender.

korsjs posted:
same thing happened to me months ago. i can't remember what the intrusion was labled as. i thought it had something to due with the ads.

teachsac posted:
Happened to me, too. Scott.

Dishpointer posted:
Walt, I experienced the same problem on Friday and it only occured when I was looking at the uplink report thread by GoalieBob. There must be a flaw in the latest update from Norton. I ended up turning off my firewall so I could look at that thread. If it happens again I will probably dump Norton and go with something else.

So I wasn't the "only one" but you're probably right - it must be something wrong with my computer.

 

[charper1]

Well it happened again. Different thread this time though. NIS flagged it and shut down my SatGuys connection for 30 minutes.

I'm beginning to wonder if it's related to certain threads I've been active in but I'd like to be sure before I say more.

I wonder if there's a way one of the moderators can monitor someone's activity here and see what exactly is happening when this occurs.

Go into NIS and tell it NOT to auto-block SatGuys anymore. can you post the exact message please; I will track it down but doubt its harmfull and anything more than just annoying.

 

[Scott Greczkowski]

So I wasn't the "only one" but you're probably right - it must be something wrong with my computer.

Yes you were the only one, those people are over many months (and it only happened to them once then)

If 5 or 10 people on the same day or at the same time had the issue we would be onto something. Again your the only one. Wish I had something insightfull to add but we are serving over 30,000 unique IP addresses a day, if it was a problem we would be seeing it from a bunch of folks.

 

[Poke]

Yeah Norton Internet Security can causes more problems than anything! Just use their virus software but between the two Mcafee is better and less issues. For Firewall use Hardware version their better than software ones and they dont mess up your PC or servers.

 

[waltinvt]

Go into NIS and tell it NOT to auto-block SatGuys anymore. can you post the exact message please; I will track it down but doubt its harmfull and anything more than just annoying.

Thanks again Charper.
Below is a cut & paste of one the alert windows that came up. The "attacked" port number was not always the same if that means anything.


Attempted Intrusion "ICC Profile TagData Overflow" against your machine was detected and blocked.
Intruder: www.satelliteguys.us(65.99.220.89)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 1326.

You can get detailed information about this attack at Symantec Security Response.
Details: Intrusion detected and blocked. All communication with www.satelliteguys.us(65.99.220.89) will be blocked for 30 minutes.

You can get detailed information about this attack at Symantec Security Response.

 

[charper1]

Once you set NIS to not auto-block www.satelliteguys.us (65.99.220.89) what happens when you visit those threads again?

 

[cebbigh]

Norton and McAffee were nowhere as effective as using the combo my local mom and pop computer store recommended of ZoneAlarm, NOD32, Spybot (free), and
Ad-Aware SE (also free).

 

[Scott Greczkowski]

I just did a google search on "ICC Profile TagData Overflow" and got thousands of results and most of them say the same thing that NIS is buggy.

This is a windows / norton issue and again nothing wrong with the server. (Phew)

 

[charper1]

Then wouldn't ALL NIS users be having the same issue here? I am not, and no where else either. I am not saying its on the sever either, but I can assure you its more than likely how specific users have their software setup to react vs the content retrieved from said location.

Go to that thread Walt referenced and remove all the attached images in it, and allow Walt to clear his cache and revisit the thread to see if it still does it.

That NIS error is not saying your server is infected, but one of the images is sending bad data out; and based on how ones software is setup to report, you may or may not get the error pop-up warning. As I said, I also use the NIS. Google results from people posting about the error doesn't really mean much as far as proof about anything IMHO.

So any harm in testing that theory?

 

[Scott Greczkowski]

Then wouldn't ALL NIS users be having the same issue here? I am not, and no where else either.

Thats what I am trying to say, its an issue on Walt's machine and NIS.

 

[charper1]

OK then I mis-read you. I agree its a software setup issue on his PC but not a software bug; just it doing exactly whats it supposed to do by design until the user intervenes.

Any harm in still doing the image test scenario?

 

[SatinKzo]

I have gotten the message a few times today. I finally broke down and added the URL to my exclusions.

I didn't get the message in any particular thread either. I seem to have gotten it the most viewing just a the Dish or Dish HD forum listings.

Edit:

added a couple rules to my my router and removed the exclusion from NIS, all seems well. It'll be interesting to see what the log shows in a couple days or so

 

[Scott Greczkowski]

Just FYI I saw one post in my google search saying that this problem may be due to php caching. I have excluded the file it mentioned in the PHP caching and restarted the server.

 

[VIPERS-PIT]

I have gotten the message a few times today. I finally broke down and added the URL to my exclusions.

I didn't get the message in any particular thread either. I seem to have gotten it the most viewing just a the Dish or Dish HD forum listings.

Edit:

added a couple rules to my my router and removed the exclusion from NIS, all seems well. It'll be interesting to see what the log shows in a couple days or so

Sounds like someone is port scanning your ip address.