Endpoint Protection Small Business Edition

 View Only
Back to discussions
Expand all | Collapse all

SUB: AM I SAFE NOW OR SINCE THE ADAPTER SETTINGS AND FIREWALL SETTINGS HAVE BEEN CHANGED ...MY SECURITY IS COMPROMISED !!!

  • 1.  SUB: AM I SAFE NOW OR SINCE THE ADAPTER SETTINGS AND FIREWALL SETTINGS HAVE BEEN CHANGED ...MY SECURITY IS COMPROMISED !!!

    Posted Oct 03, 2012 03:07 PM
    IP S Alert Name: Web Attack: Blackhole Toolkit website 21
    Attacking computer : 116.203.96.89, 64006
    Source Address: 116.203.96.89
    Trafic Description: TCP, Port 64006
     
    Category : Firewall - Network and connections
    1)IP address has disappeared from adapter mts internet and is no longer being protected (IP address:.......)
    2)IP address has disappeared from adapter Microsoft 6to4 Adapter and is no longer being protected (IP address:.......)
     
    This happened whilst browsing and the attack was resulted from - within the Apple Safari Browser's Webkit2webprocess.exe
     
     
     
    As A RESULT NORTON 360 IS SHOWING THIS HAS BEEN DONE, BUT I HAVE NOT DONE ANY CHANGES MYSELF TO THE FIREWALL RULES. YET IT 
     
    IS SHOWING THE FOLLOWING....PLEASE ADVICE....
     
     
    Program Name: Local Security Authority Process
    Program Path: C:\Windows\System32\lsass.exe
    Default Action: No Action Required
    Action TakenL: User Configured rules
    Local Computer: 0.0.0.0,49154
    Trafic Description: Inbound Tcp, port 49154
    Details: You created firewall rules to manage how Local Security Authority Process accesses your network resources.
     
    Program Name: Local Security Authority Process
    Program Path: C:\Windows\System32\lsass.exe
    Default Action: No Action Required
    Action Taken: ALLOW
    Local Computer: ::0,49154
    Trafic Description: Inbound Tcp, port 49154
    Details: You ALLOWED Local Security Authority Process TO access your network resources.
     
     
    HERE, IDID NOT ASK OR ALLOW THE COMPUTER TO ACCESS ANY NETWORK RESOURCES. HOW COME IT IS SHOWING IT IS ALLOWING ACCESS. 
     
    PLEASE ADVICE.....ASAP......WOULD APPRECIATE THE EARLY REPLY,THANKS.
     
    SUNIL
     


  • 2.  RE: SUB: AM I SAFE NOW OR SINCE THE ADAPTER SETTINGS AND FIREWALL SETTINGS HAVE BEEN CHANGED ...MY SECURITY IS COMPROMISED !!!

    Trusted Advisor
    Posted Oct 03, 2012 03:36 PM

    Hello,

    Are you running the Symantec Endpoint Protection 12.1 OR NORTON 360?

    Web Attack: Blackhole Toolkit Website 21

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25728

    Incase, if you are using NORTON 360, please create a Thread on Norton Community,

    http://community.norton.com/t5/Norton-360/bd-p/Norton_360

    Hope that helps!!



  • 3.  RE: SUB: AM I SAFE NOW OR SINCE THE ADAPTER SETTINGS AND FIREWALL SETTINGS HAVE BEEN CHANGED ...MY SECURITY IS COMPROMISED !!!

    Posted Oct 03, 2012 06:18 PM

    From the above page, Web Attack: Blackhole Toolkit Website 21:

    Severity: High
    This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

    Description
    This signature detects attempts to download exploits from Blackhole toolkit that may compromise a computer through various vendor vulnerabilities.

    Additional Information
    Blackhole Toolkit compromises the machine by targeting various vendor vulnerabilities on the victim's machine.

    It's an IPS signature, which means it's detecting inbound attempts, not necessarily that you have been compromised. However, if the firewall/adapter changes came immediately after the alert, it certainly is suspicious.

    Is your computer fully patched, particularly with regards to critical Windows updates, Flash, Acrobat, Java, etc.?

    I would definitely recommend you open a thread on the Norton forum, because the users there are a lot more familiar with Norton 360's interface and capabilities.

    Good luck!

    sandra