Jump to content

Troubleshooting Bri's PC


Bri

Recommended Posts

Hi, Bri!

<<< ..Not sure about the CTRL-ALT-DELETE thingy. I would presume that a virus program running on your PC could intercept the CTRL-ALT-DELETE transmission and use it for its own purpose (such as deleting files or wiping a hard disc) but I thought Microsoft wrote Windows so that could not happen. Still, I suppose a virus could do something to some internal Windows component that would defeat whatever precautions Microsoft took ... I would guess using a buffer overflow or insecure privileged usercode or something along those lines. >>>

ahhh yes, that would accomplish it considering the firewall would stop the buffer attack if installed. How successful is the standard firewall that resides in the XP operating system in stopping a buffer attack?

...Oops, I used the wrong terminology...I meant this (from Microsoft Security Advisor Program: Glossary of Terms):

Buffer Overrun

An attack in which a malicious user exploits an unchecked buffer in a program and overwrites the program code with their own data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to crash.

A firewall won't do anything to stop this if you've downloaded the virus.

<<<My question would be can something like this be written into a webpage?...Sure! It could be on the web page as a file with any extension that you have associated with Word (.dot, .doc, .rtf, .wri, etc). There might be some scripting around it that would cause it to be executed without your having to take any action other than to open the web page (or e-mail).>>>

bingo 3, thank you

...You're quite welcome!

After running a search on a search engine and clicking on a link provided by the search engine a browser window attempts to open but the firewall (norton) stops it, what are the possible causes? just a hint would be helpful :-).

... :huh: Are you asking what are the causes of a browser window trying to open when you click on the link, or what are the causes of the firewall stopping it? If the former: some scri_pt that executes a "window.open" command or some such; I regret that I don't know enough about firewalls to know the answer if you mean the latter.

<<<QUOTE (Bri [at] Feb 26 2004, 09:48 PM)

Thank you Turet, 

...It's Steve (not Turet). See my sig. >>>

thank you steve, I am not a common visitor to forums and used the abbreviation common to my on-line "world", no insults intended.

...No offense taken - I understand the "mistake" - in fact, I don't consider it to have been a mistake at all! :)

Link to comment
Share on other sites

  • Replies 69
  • Created
  • Last Reply

You say "buffer attacks" .. What Steve said was "buffer overflow" (exploits) .. you'll find documentation of this type of thing on most of the links I earlier provided. A firewall hs nothing to do with a "buffer overflow" situation. The XP firewall is just barely better than nothing at all.

Norton's NIS firewall is a much screwed up version of a product obtained when they bought out/up [at]Guard. The core engine still works from the same view point, and as such, I have to shift the words a bit here also ... It's not that when you click on a link, it jumps in and "blocks" anything ... rather, it jumps up and asks for your approval to go to that link. This is also based on configuration settings. Let's put it this way, not everyone using NIS sees these pop-ups.

I feel strange, you wanted me to be more specific, but ask Steve for "hints" ...

I'm also with Steve about the CTL-ALT-DEL thing .. by the time your system would be so warped that this keystroke combo was compromised, you should have seen all kinds of other evidence of things going wrong .. but on the other hand, I've not heard of anything like this either. Obviously can't come up with the right search terms as I came up empty on a Google tear, Alta-Vista, SANS, CERT, .. gave up after that ....

Direct from Microsoft: http://support.microsoft.com/default.aspx?...=kb;[LN];162059 How to Configure Internet Explorer to Open Office Documents in the Appropriate Office Program Instead of in Internet Explorer --- your problem / question answered by the reverse explanation

Link to comment
Share on other sites

<<<You say "buffer attacks" .. What Steve said was "buffer overflow" (exploits) .. you'll find documentation of this type of thing on most of the links I earlier provided. A firewall hs nothing to do with a "buffer overflow" situation. The XP firewall is just barely better than nothing at all.>>>

I am definately a little confused on the buffer thing but this is something Norton stopped one night and it is what is confusing me. I can find something similar on the net identified (cant remember where now) but it was not this exact wording. I am just curious how common this type of thing is, I guess

"a computer with the IP address 127.0.0.1 sent information of the HTTP_Active_Perl_Overflow attack."

<<<After running a search on a search engine and clicking on a link provided by the search engine a browser window attempts to open but the firewall (norton) stops it, what are the possible causes? just a hint would be helpful :-).

Marketing folks are the root cause of popup ads. Norton's firewalls (which one and version are you using?) can block popup ads. >>>>

Yes, marketing ads are irritating. But it is not marketing sites that I have found the odd things on. I found a good example of my question yesterday by accident. I have 2 spam emails (spam being stretched well beyond the marketing meaning) which are about two months old or so. I decided to parse them here just for curiousity but first I forwarded them as an in-line attachment just so I could look at them. Neither one of them have an attachment. Both of them caused Norton respond and idiot that I am I only wrote down this so I am not sure what the problem was now.

"219.129.20.208:808 using port 3154

location China"

It shows in my log book where "This one time, user has chosen to block communication".

I am just curious also why an individuals personal website can also cause Norton to respond (although it has been a long while since I have been to those sites and do not remember the what the security alert was about.

<<<I feel strange, you wanted me to be more specific, but ask Steve for "hints" ... >>>

I need at least hints when I am nearly clueless so I can at least get a good starting point on the answer. If I have a little better grounding on the subject I need more specifics so I can rule out the various things that can happen on the net and why they happen. ;-), that is why I call it a personal study, it goes beyond just a couple off-the-cuff questions. And thank so all of you, not only to those who have responded but also to the services of Spamcop. The parser thingy alone it a lot of fun to play with :-).

Link to comment
Share on other sites

Bri sent me a screenshot of the graphic. It appears to be a standard HTTP Authentication Dialog Box presented by IE6 on WinXP on behalf of members.spamcop.net, requesting "User name" and "Password" for "your SpamCop account", along with the optional "Remember my password" Checkbox. It is similar to, but prettier than, the version presented under Win2000 and previous Windows OSs.

members.spamcop.net is the SpamCop Members' Website (exclusively for the use of paid SpamCop Parsing and Reporting System Members/Customers), and it is requesting usage authorization via this Dialog Box. It cannot be used without authorization. The "User name" in this case is the Member/Customer's email address, and the "Password" is self-explanatory. I only recommend checking the "Remember my password" Checkbox computers that are only used by one person with only one paid SpamCop Parsing and Reporting System Account.

Link to comment
Share on other sites

a computer with the IP address 127.0.0.1 sent information of the HTTP_Active_Perl_Overflow attack

problem in this is that 127.0.0.1 is "your" computer

219.129.20.208:808 using port 3154

the ....208:808 suggests that it ws probably a graphic call, using a "non-standard" port for the HTTP call to that other computer, i.e., the 808 instead of 80, or the more usual alternate port of 8080 ..

personal website can also cause Norton to respond

not at all sure why you're specifying a "personal" website, going back to it's more a function of how you've got NIS to handle the flow (and now that JeffG has suggested that you're using XP, you have to factor that into the equztion also) I'll explain my statement in that in my use of [at]Guard, any site that is not already added to the "approved" list causes a pop-up box asking for permission to go ahead and make the call. And even if "approved", [at]Guard looks at so much other stuff also, cookies, scripts, ads, even file-tree names ... almost all of this power is still in Symantec/Norton's product, but the control panels are not nearly as accessible.

It used to be that all the important data was stored as plain text in the Registry for the control settings of NIS (again, a carry over from [at]Guard's original programming) .. However, recent versions of NIS have taken to encrypting this data, making it absurdly difficult to read, manage, or massage those rules and tables now .. again, just another step in the screwing things up mode that Symantec is famous for ...

Link to comment
Share on other sites

Bri sent me a screenshot of the graphic.  It appears to be a standard HTTP Authentication Dialog Box presented by IE6 on WinXP on behalf of members.spamcop.net, requesting "User name" and "Password" for "your SpamCop account", along with the optional "Remember my password" Checkbox.  It is similar to, but prettier than, the version presented under Win2000 and previous Windows OSs.

members.spamcop.net is the SpamCop Members' Website (exclusively for the use of paid SpamCop Parsing and Reporting System Members/Customers), and it is requesting usage authorization via this Dialog Box.  It cannot be used without authorization.  The "User name" in this case is the Member/Customer's email address, and the "Password" is self-explanatory.  I only recommend checking the "Remember my password" Checkbox computers that are only used by one person with only one paid SpamCop Parsing and Reporting System Account.

I am sorry Jeff, am I supposed to understand what this meant? I am the only operator of this computer and the computer I use at work. My original question to the tech came under the subjuect "using two computers with one account" and was sent to the tech within 24 hours of my creating a paid account after reporting spam for about 3 weeks for free. I felt guilty using the service so much for free. I also told Jeff to trace my isp and ip if he wished. I get the impression from this post it is thought that I am doing something wrong?

I did not get to the point of remember my password because I used the old link to reach the page and used the link on the page which gave me the login screen with a graphic in and was curious. I had always been told never to put my name and password into a screen that does not look "normal". I also told the tech I was sure I was asking a goofy question. Since I had not seen it at work and the tech could not reproduce it, I was alarmed.

As I think you all have noticed, you all have some odd people that make it your way, as in all places, and I did not wish to air something on a public forum that may not be something I want an odd person to know.

<<<a computer with the IP address 127.0.0.1 sent information of the HTTP_Active_Perl_Overflow attack

problem in this is that 127.0.0.1 is "your" computer>>>

What was my computer attempting to accomplish? That is why I am curious, the only 2 things I could find researching is that 127.0.0.1 is a favorite for a cracker to use as a forged address, because it is the one used to troubleshoot things I do not remember on ones own system. The other thing was some kind of buffer exploit(?) that had a name similar to the one above. Oh, I also learned a little bit about Perl and that it seems to be a favorite with some crackers. They have lots of fun pages and discussions on how to abuse someones elses computer.

<<<not at all sure why you're specifying a "personal" website, going back to it's more a function of how you've got NIS to handle the flow (and now that JeffG has suggested that you're using XP, you have to factor that into the equztion also)>>>

I am specifying personal webpages because Jeff seemed to be suggesting I was seeing pop-up ads from marketeers. That is not the case.

What is a better option for a firewall? I agree, Norton is very clumsy to work with but it is really hard to get a consensus on anything.

Link to comment
Share on other sites

I am sorry Jeff, am I supposed to understand what this meant

Jeff was just pointing out that you'd sent him a screen shot of a normal account name/password login screen, admiring that it was prettier under XP thanit was in previous versions of Windows.

original question to the tech

can't quite figure that one out . are you still talking about JeffG or some other "tech"?

never to put my name and password into a screen that does not look "normal".

another one a bit out of context .. as in the example you're discussing, it's the target that counts, and in this case it was a "members only" page, and you accessed it in a round-about fashion, thus the "please log in" sequence.

Since I had not seen it at work and the tech could not reproduce it

This makes it sound like not JeffG, but some other tech.

What was my computer attempting to accomplish?

Again, out of context, no way to guess from this viewpoint. What else was going on at the time? What are the log entried prior to and after this one line? What software was running?

127.0.0.1 is a favorite for a cracker to use as a forged address

as you state later, this is an address that is used to specify your own computer .. normally called a linkback address. I wouldn't consider it much of a hacking/cracking thing at all. That it's a non-routable address doesn't explain much in its use as an "address", forged or not ..

Perl and that it seems to be a favorite with some crackers

Perl is just yet another programming tool. Any tool can be used for good or bad. Ton loads of sites have some Perl scripting going on, usually behind the scenes, database work, calculations, etc.

Buffer over-runs / exploits have existed since the dawn of programming computers. Although exploits didn't really become an issue until much later.

Jeff seemed to be suggesting I was seeing pop-up ads from marketeers

can't speak for JeffG, but all I recall was that he was describing a normal login pop-up that was seen at your attempted entrance to members.spamcop.net ... though mentioning that it differed little from the same type of pop-up you'd see anywhere else that required the use of an account name/password combo to gain entrance.

What is a better option for a firewall? I agree, Norton is very clumsy to work with but it is really hard to get a consensus on anything

Like anything else you go out to buy in this world, there are options, capabilities, strong points, issues, and well over 90% of your decision on the final outcome is based on your own experience, background, expertise, knowledge, and the bottom line of your own ut feeling. And if you ask about these software firewalls in some rooms, they'll toss you out as there is no such thing worth the disk space, another room would have a hundred different people explaining why their software firewall was the only one worth running. Neither room would argue that a hardware firwall is a necessity. A firewall is just one more tool used in the process of securing and protecting your system.

Liken it to purchasing a car for your own personal transportation. If getting from point A to point B is all that's involved, just about anything will meet that need. But then you start adding in all those other things .. status, color, engine type, size, and output, auto or manual shift, does it come with a sun/moon-roof, power locks/windows/seats, etc .... again, user requirements, background, desires, interface lies/dislikes ... that's why there are so many firewalls/tools out there to get certain tasks accomplished in their own special way ...

Link to comment
Share on other sites

The short version of my previous post is that it is OK for Bri to fill in the dialog box that she emailed me. It is perfectly normal.

Also, Bri browsed to Yahoo! from adsl-[elided].bellsouth.net, which appears to be an Asynchronous Digital Subscriber Line in Florida, USA. According to http://www.moensted.dk/spam/?addr=elided , that IP Address "was found in 12 lists (of 258 tested)".

[elided information at Bri's request]

Link to comment
Share on other sites

The short version of my previous post is that it is OK for Bri to fill in the dialog box that she emailed me.  It is perfectly normal.

Also, Bri browsed to Yahoo! from adsl-elided.bellsouth.net [elided], which appears to be an Asynchronous Digital Subscriber Line in Florida, USA.  According to http://www.moensted.dk/spam/?addr=elided , that IP Address "was found in 12 lists (of 258 tested)".

Thanks Jeff for all the info. Wazoo, the reason you are seeing things out of context is that I am a private person that has noticed that people love to broadcast private details across sites they know are not trustworthy. I unfortuanately learned this lesson at another site watching what had happend to other people, not because it had happend to me. It was usually a moderator that would either broadcast the info (since they had access to it) or another member that took a dislike to someone on the forum.

But, when I encountered something well beyond my experience not to mention was rude to Jeff and the tech after I got a run-around (in my view), (which I did apologize for, for what it was worth) I now get to see all my info displayed across a public forum. Thanks again Jeff.

Oh, I forgot to add that it is out of context because Jeff chose to call out all kinds of stuff before I ever gave permission or he had even checked to see who I was. Since I fall way behind the times, who do I complain to and request a complete verification of who I am and why my personal information has been broadcasted so neatly across a public forum.

I have also noticed YourBuddy has quite a few threads going and is obviously trolling, may I ask why his IP and town have not been advertised?

[elided information at Bri's request]

Link to comment
Share on other sites

[

Jeff seemed to be suggesting I was seeing pop-up ads from marketeers

can't speak for JeffG, but all I recall was that he was describing a normal login pop-up that was seen at your attempted entrance to members.spamcop.net ... though mentioning that it differed little from the same type of pop-up you'd see anywhere else that required the use of an account name/password combo to gain entrance.

Again here, Jeff is talking about something private between him and I. My question to you boiled down was "why would a personal website far off the beaten track through up a security alert in Norton". It is not within my experience that a marketing pop-up gives a security alert, nor that a personal website would pull up a browser window norton considers dangerous with a setting of medium.

Link to comment
Share on other sites

oh, and I have no clue what Jeff said about my IP address being listed in th 12 of 258 lists tested but I suspected a long time ago I had been set up for something which is why I have been studying what the ramifications may be. It was only recently I learned that spammers may use an individuals computer for this purpose, and it is thanks to you all I did learn it. Is there anyone on this forum that could put me in live contact with someone that can fix this. Thanks to Jeff, you all know where I am .

Link to comment
Share on other sites

My question to you boiled down was "why would a personal website far off the beaten track through up a security alert in Norton". It is not within my experience that a marketing pop-up gives a security alert, nor that a personal website would pull up a browser window norton considers dangerous with a setting of medium.

I'm going to say I tried my best to answer that a number of times ... my settings not allowing me to see complete web pages even though I "approved" of going there .. that there are more things that are looked at besides just the URL .... and that most of this depends on configuration, and as I can't delve into your details from here, I can't offer much more specific help ... only you can look for those details.

Link to comment
Share on other sites

my IP address being listed in th 12 of 258 lists tested

Outside of the lists that tend to block everybody, most of "your" listing appear to be due to your IPaddress falling within dynamic IP allocation space .. no big deal

You're in an area where the only people I know aren't the techie types, so can't help you there. On the other hand, try this piece of software http://www.spychecker.com/program/hijackthis.html .... there's a small catch in that the way it was originally set-up, you'd run it, copy the output, and post it on a board un by the author and other folks, they'd run through it and tell you exactly what was there that shouldn't be, stuff recommended to get rid of, etc. ... Right now, that community resource now comes up as being "For Sale" , all data having been passed to the FBI, but I'm suspecting that he's just another average Joe that won't be able to substantiate enough of a business loss (software and advice was free) to get the FBI to actually get involved ... ?? ... he's been DDoS'd out of existence for the present .. the software is available in dozens of places, but not sure where to send you for the output read other than e-mailing it, and it appears your trust factor isn't that high now. There's over a half-dozen sites under this current DDoS action, and they've all been scrambling to put up mirrors elswhere in order to keep fighting the good fight, but I haven't been keeping close track of all the jumping around these last couple of weeks.

Link to comment
Share on other sites

my IP address being listed in th 12 of 258 lists tested

Outside of the lists that tend to block everybody, most of "your" listing appear to be due to your IPaddress falling within dynamic IP allocation space .. no big deal

You're in an area where the only people I know aren't the techie types, so can't help you there. On the other hand, try this piece of software http://www.spychecker.com/program/hijackthis.html .... there's a small catch in that the way it was originally set-up, you'd run it, copy the output, and post it on a board un by the author and other folks, they'd run through it and tell you exactly what was there that shouldn't be, stuff recommended to get rid of, etc. ... Right now, that community resource now comes up as being "For Sale" , all data having been passed to the FBI, but I'm suspecting that he's just another average Joe that won't be able to substantiate enough of a business loss (software and advice was free) to get the FBI to actually get involved ... ?? ... he's been DDoS'd out of existence for the present .. the software is available in dozens of places, but not sure where to send you for the output read other than e-mailing it, and it appears your trust factor isn't that high now. There's over a half-dozen sites under this current DDoS action, and they've all been scrambling to put up mirrors elswhere in order to keep fighting the good fight, but I haven't been keeping close track of all the jumping around these last couple of weeks.

Considering the moderator found it advisable to post all my info he deemed relevant on a public forum, I would say my trust factor hit well below zero now. Of course, this estimation keeps in consideration YourBuddy when factoring the equation. If no one understands that reference, please see the Lounge topics on this forum. If my Ip falling in withind a dynamic IP address allocation space is no big deal, why was it considered necessary to post very private information on an unsecured public forum with no live body near me that could even begin to understand? And I really do not understand why I would contact the FBI (and he would be the "average joe" that cannot substantiate enough of a business loss to tell me? This is implying not only am I goofy but the FBI agent is? And why would I contact an FBI agent about a commercial website anyway? ohhh, but I reread that and you are saying the poor soul was DDoS'd out of existance without enough proof of the attack.)

I understand what a mirror is, but seems to me they would be the next ones under attack if the original site is non-functioning due to a DDoS attack? Not to mention that would fall under one more website prone to suspicion due to a moderator to just start with.

And I do not think I will copy any more programs suggested by this website (even though I did find it through what I considered at the time a credible source). What can I look forward to since the moderator has been helpful and I have rather meager firewalls (as I have already stated!). If you would like to know what my firewalls are, contact Jeff, I bet he may be willing to let all know, but then, I have no real clue what he could tell you beyond what I know that was posted. I am finding myself cringing at the thought.

Again, where do I start posting a thread that someone with some credibility would even begin to help (without!!!! posting personal details, all are welcome to post my words that seem rude or unhelpful to the germane subject but do not contain critical information).

Link to comment
Share on other sites

Well, I talked of being credible quite a while ago .. and I think I've spent quite an amount of time trying to answer your questions and offering help. And I must say that after being painted with that large brush, I don't see why you'd be asking for another recommended place to go to .. I'm just a user passing on stuff I've learned, so that you find me not credible either , then, I can fix that .. good luck!

Link to comment
Share on other sites

Well, I talked of being credible quite a while ago .. and I think I've spent quite an amount of time trying to answer your questions and offering help.  And I must say that after being painted with that large brush, I don't see why you'd be asking for another recommended place to go to .. I'm just a user passing on stuff I've learned, so that you find me not credible either , then, I can fix that .. good luck!

Sigh, where have I painted you with a big brush Wazoo? I was told by the moderator that only a member of the moderators group or a member could be trusted (in a private message). I have never even mentioned your name, Wazoo, on a public forum as an untrusted person. I am assuming a "member" such as I can not be trusted, since it seemed the moderator meant someone with"member" displayed in a dark blue graphic. I am sorry, but where am I missing something here? I would happily explain any misunderstandings. I have also clicked on "moderators" and only see Jeff's name listed which leads me to understand only he is a part of the moderators group. Again, any misconceptions on my part could be easily rectified.

Link to comment
Share on other sites

Bri,

I'm sorry, until a few minutes ago I had missed the portion of this topic where you objected to my posting your IP Address. I'm also sorry for posting your IP Address and City. I hope that I have cleaned up the posting sufficiently.

You may not be aware of this, but almost all postings on the Newsgroups and emails to their mailing list counterparts include the IP Address of the poster. It is my fault for not taking into account your heighteded security sensitivity when writing that post, and I am sorry for revealing that information. Note that I did not reveal the name or email address you used.

I hope that you can forgive me.

btw, do you consider members.spamcop.net to be a personal website?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...