Video Screencast Help

SUB: AM I SAFE NOW OR SINCE THE ADAPTER SETTINGS AND FIREWALL SETTINGS HAVE BEEN CHANGED ...MY SECURITY IS COMPROMISED !!!

Created: 03 Oct 2012 | 2 comments
IP S Alert Name: Web Attack: Blackhole Toolkit website 21
Attacking computer : 116.203.96.89, 64006
Attacker URL : www.mandalay.longmusic.com/main.php?page=588ec4e4ea3b00d8
Source Address: 116.203.96.89
Trafic Description: TCP, Port 64006
 
Category : Firewall - Network and connections
1)IP address has disappeared from adapter mts internet and is no longer being protected (IP address:.......)
2)IP address has disappeared from adapter Microsoft 6to4 Adapter and is no longer being protected (IP address:.......)
 
This happened whilst browsing and the attack was resulted from - within the Apple Safari Browser's Webkit2webprocess.exe
 
 
 
As A RESULT NORTON 360 IS SHOWING THIS HAS BEEN DONE, BUT I HAVE NOT DONE ANY CHANGES MYSELF TO THE FIREWALL RULES. YET IT 
 
IS SHOWING THE FOLLOWING....PLEASE ADVICE....
 
 
Program Name: Local Security Authority Process
Program Path: C:\Windows\System32\lsass.exe
Default Action: No Action Required
Action TakenL: User Configured rules
Local Computer: 0.0.0.0,49154
Trafic Description: Inbound Tcp, port 49154
Details: You created firewall rules to manage how Local Security Authority Process accesses your network resources.
 
Program Name: Local Security Authority Process
Program Path: C:\Windows\System32\lsass.exe
Default Action: No Action Required
Action Taken: ALLOW
Local Computer: ::0,49154
Trafic Description: Inbound Tcp, port 49154
Details: You ALLOWED Local Security Authority Process TO access your network resources.
 
 
HERE, IDID NOT ASK OR ALLOW THE COMPUTER TO ACCESS ANY NETWORK RESOURCES. HOW COME IT IS SHOWING IT IS ALLOWING ACCESS. 
 
PLEASE ADVICE.....ASAP......WOULD APPRECIATE THE EARLY REPLY,THANKS.
 
SUNIL
 

Comments 2 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Are you running the Symantec Endpoint Protection 12.1 OR NORTON 360?

Web Attack: Blackhole Toolkit Website 21

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25728

Incase, if you are using NORTON 360, please create a Thread on Norton Community,

http://community.norton.com/t5/Norton-360/bd-p/Norton_360

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

sandra.g's picture

From the above page, Web Attack: Blackhole Toolkit Website 21:

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description
This signature detects attempts to download exploits from Blackhole toolkit that may compromise a computer through various vendor vulnerabilities.

Additional Information
Blackhole Toolkit compromises the machine by targeting various vendor vulnerabilities on the victim's machine.

It's an IPS signature, which means it's detecting inbound attempts, not necessarily that you have been compromised. However, if the firewall/adapter changes came immediately after the alert, it certainly is suspicious.

Is your computer fully patched, particularly with regards to critical Windows updates, Flash, Acrobat, Java, etc.?

I would definitely recommend you open a thread on the Norton forum, because the users there are a lot more familiar with Norton 360's interface and capabilities.

Good luck!

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!