Endpoint Protection

Every now and then, I keep getting some sort of web injection notification. The most recent one has been something along the line of "Plesk command injection." After this appears, I run a virus scan, but nothing appears. 

Is this a potential danger to my computer? What steps should I take to fix this?

Thanks for the help,

Non Sequitur

This is likely the IPS catching malicious traffic. Check the security log for confirmation as to which signature is firing.

Do you get this when browsing the web?

The IPS is blocking this so you won't find any infection on your machine. The infection attempt is being blocked.

Hello,

Many threats inject into legitimate services, etc, to hide themselves.  SEP will block those.

Check these links below:

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24187

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25297

In such cases, there are few things, you need to look at:

1) Make sure the autorun.inf is turned off.

2) Check if the host file has not been changed or you check if the same is not tampered with.

3) If there are any unknown Browser Helper Objects, please disable and remove their enteries from the registry.

4) Make sure the server is up to date with all the Latest Microsoft Security patches and all Browsers are running the latest version.

5) Run the Symantec Endpoint Support Tool, which would identify the suspicious file on your machine and the same have to be submitted the Symantec Security Response Team.

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Thank you for the help, everyone. I'm sure it's not what I'm browsing on the web, even more so after what I found in the logs...

I went to the security logs as Brian81 recommended, and I found two entries from today and yesterday. They both had the same description:

[SID: 26825] Web Attack: Plesk Command Injection attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SKYPE\PHONE\SKYPE.EXE

Does this mean that the attack (or whatever this turns out to be) is coming from Skype? 

check this

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26825

Yes, this traffic is coming from Skype.

I want to know some more information about this. I just got attacked by the same thing. So I already know by reading this thread what this attack are able to do, but how did it happend and what should I do to prevent it from happening again? Does this mean that Skype is infected? Should I format my computer?

Would really appreciate some more information.

Greetings,

David

Here is an additional writeup on it:

http://static1.symanteccontent.com/security_response/attacksignatures/detail.jsp?asid=26825

Thank you. But i've already read that 5 times.

" You should take immediate action to stop any damage or prevent further damage from happening."

Action? Action to do what? It feels like they tell me "Yes, this is not good, you should do something about it".
But without giving any information on how to proceed..

Is it network related like a SQL injection or is it something that have been downloaded and now infected?

First off the IPS is doing it's job by blocking the infection attempt. You're not actually infected so running a virus scan won't turn up anything. It is malicious traffic be detected and blocked which stops the infection attempt.

Are you running a version of PHP? This seems to be an attack specific to it.

Have you upgraded to the latest version of skype? There is a chance it could be a false positive.

Im not running PHP and yes I got the latest version of skype. Ye, could be a false positive. 

Thanks for your help :)

Greetings,

David

What is the remote (attacking) IP address?

Is this an ongoing issue or did it happen once? Or every time you use Skype?

The attack IP was: 95.110.132.11
It have just happend once so far but I got it today for the first time.

This remote IP appears to be running a vulnerable version of Plesk web admin. It doesn't appear to be configured correctly.

When skyping, did you receive and messages or links that you may have clicked on?

No, I did not. I was watching Youtube and Reddit at the time it happend. It pretty much just came out of nowhere.

Edit: found this thread http://www.bleepingcomputer.com/forums/t/500524/need-help-understanding-attack-log/

What is probably happening, is that these connections (with the HTTP requests that try to attack Plesk) connect to a port that is open on your machine.

That port is probably opened by Skype, and that is why Norton is reporting Skype in the attack log.

It sounds like this could be the case. And I am using a OpenVPN VPN so the IP i'm using isnt really hard to get for other VPN users. So maybe someone is trying to find ppl with PHP and Plesk installed by just testing every IP on the VPN server..

It certainly is a high possibility a mischevious person is out there poking around at different boxes to find soemthing misconfigured.