Endpoint Protection

Queen's University Belfast is hosting a website which is presenting details about a Conference in 2012 (Euchem 2012).

We received comments about people being unable to access the site as Symantec (SEP 11) was reporting a 'malicious cookie' error. One of our staff experimented and has decided: ' I have been testing this out all day and it is a problem with Symantec.  I had an unmanaged client on my machine with all the updates and as of trying to log on to the website www.euchem2012.org from google I got the message “sid 24125 web attack malicious cookie detected ip address 143.117.XXX.XXX (where the Xs are here in place of the real numbers)” this then blocks the site for 10 minutes.'

By removing SEP and using e.g. Avast, the site is accessible.

Now for the question(s): what, according to Symantec, makes a cookie malicious?; how do we get round this problem?

What is the full IP address? I would like to dig deeper on this. It is possible this could be a false positive. If that is the case, you can create an exception for SID 24125 (see image).

In general the site fails whenever someone does a search for euchem2012 and tries to access the site via the links that are displayed. The problem does not seem to happen when the URL (www.euchem2012.org) is typed directly into a browser.

There must be a subtle difference between the direct and indirect methods even though the URL is the same.

I did some research on the IP address, and no known threats came back.

There is a chance that there is a threat living on this server. Are you involved with the owner of the site?

I am moving this to the Endpoint Protection forum for greater visibility.

Web Attack: Malicious Cookie Activity - http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24125

Hi Jim,

I tried a small research on this issue and found that the website www.euchem2012.org  opens if the link is clicked or typed in. But if it is searched using a search engine it does not. I tried this in IE. But I did not get find any problem with other browsers like Firefox. You could try that, if the problem exist, I will recommend you to submit this threat to http://submit.symantec.com/ Try it and leave a comment. Good luck...

One of the common webattacks currently is to serve the site differently based on how you get there and what your user agent is.

I was able to reproduce the problem by doing the following:

1.  go to google
2.  search for echem2012
3.  click on a result that would take me to echem2012.com
4.  get the cookie error reported by the user.

I can browse straight to the website without error.   So far that is what was reported in the first post.  

I used wireshark to record the test with google and I find that when I access the site by clicking on a link from google there is a 302 redirect sending me to

hxxp://infernomag.com/cgi-bin/r.cgi?p<redacted>

This site doesn't come up for me, but I do note that it is listed as a malware site by my url security provider.

Unless that infernomag.com link is intentional, it looks to me like echem2012.com has been compromised.  

I get the problem no matter which browser or search engine I use:

Keying in the URL or e.g. clicking on the link within a document works fine. Things go wrong when I click on a link which a search engine displays.

I am not au fait with wireshark but I would appreciate if others could confirm the 'infernomag.com' link reported by Mordac by this or any means. I would like to know that there are definite signs of a compromise before I go down a road that I shouldn't.

Thanks to all who have helped so far,

Jim

I can reporduce the same findings as Mordac.  Using the same method I get the same errors and sent to the same website 'infernomag.com' . 

Best of luck

Add your website in the exclusion list in your Antivirus product and check if the same scenario re occurs.

The problem has disappeared, along with the 'inferno' link.