Message boards :
Number crunching :
HTTP_ActivePerl_Overflow attacks
Message board moderation
Author | Message |
---|---|
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
My firewall detect an "HTTP_ActivePerl_Overflow" attack when surfing the message board. It happen only here. I have surf the web for an hour fine but it pops up about a minutes after enterring the board. I nerver had that before upgrading to version 3.20 and I haven't changed anything here regarding protection level. Here are what Symantec says ; Some older versions of ActivePerl for Windows web servers may allow an attacker to execute arbitrary code at the privilege level of the web server process. Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension. Am I the only one having this ? I would appreciate your feeling about this. Thanks Best regards Marc |
BigDawg Send message Joined: 16 Apr 04 Posts: 113 Credit: 6,927 RAC: 0 |
i am using norton firewall and am getting the same "HTTP_ActivePerl_Overflow". and when i do the visual trace route it is always from the same 2 places. one in germany and one in uk. |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
Thanks Bill, Here it's comming from somewhere.de It only started today here, what about you ? |
Lloyd Send message Joined: 22 Jan 02 Posts: 41 Credit: 1,266,000 RAC: 0 |
I got a very strange message, looks like it is saying that the attempted intrusion was FROM my machine! I hope this is just my Norton and Boinc 3.20 not getting along Details: Attempted Intrusion "HTTP_ActivePerl_Overflow" from your machine against www.gr-crew.de(217.195.36.7) was detected and blocked Intruder: localhost(2343) Risk Level: Medium Protocol: TCP Attacked IP: www.gr-crew.de(217.195.36.7) <A> [/url] |
BigDawg Send message Joined: 16 Apr 04 Posts: 113 Credit: 6,927 RAC: 0 |
looks like lloyd has the same attack we do, it is from the same place This is all the info i can find on the de attack ip: 217.195.36.7 inetnum: 217.195.36.0 - 217.195.36.127 netname: NETCLUSIVE-NET descr: [netclusive] - internet broadcasting descr: Schloss Westerburg, 56457 Westerburg, Germany country: DE admin-c: CS2139-RIPE tech-c: CS2139-RIPE status: ASSIGNED PA mnt-by: SSERV-NET changed: netmaster@sserv.de 20031211 source: RIPE hope it helps you,and if it does could you please share the info with me, thanks |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
Exactly the same adress here. I've tracert the adress but appart from getting the DNS "Phoebe.netclusive.de 217.195.36.7" It's not tracing. I'm far from being a net specialist and thats all I can check and tell. |
Lloyd Send message Joined: 22 Jan 02 Posts: 41 Credit: 1,266,000 RAC: 0 |
If I am understanding what my Norton says, it is saying the "attempt" was from MY machine attacking http://www.gr-crew.de/ Why how or who that is I don't know. I went to that site but I can't read it. <A> [/url] |
BigDawg Send message Joined: 16 Apr 04 Posts: 113 Credit: 6,927 RAC: 0 |
we need to find someone that can read german for us and translate it |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
The only .de site I have visited so far is the Boincstats found on the statistics and leaderboards page. http://www.saschapfalz.de/boincstats/boinc-stats.php The site never worked for me and behaved king of strange. Could this be related ? |
Lloyd Send message Joined: 22 Jan 02 Posts: 41 Credit: 1,266,000 RAC: 0 |
I'm going off for a bit to scan my machine, If I have a bug I don't want to spread it although I think the Norton fire wall stopped what ever it was. I'm going to make sure. <A> [/url] |
BigDawg Send message Joined: 16 Apr 04 Posts: 113 Credit: 6,927 RAC: 0 |
i went to that one also, but i also went to clawhammers and guidos de sites i am going to do a sys scan on mine also, good idea lloyd |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
One thing for sure is that even if we can't read what's on the http://www.gr-crew.de web site it has links towards Boinc and some team stats and stuff. I will also make good cleanup of my machine and see if it happens again. |
Darren Send message Joined: 2 Jul 99 Posts: 259 Credit: 280,503 RAC: 0 |
This is a bit long, but following is the translation of the page by babel fish. It appears it's just discussing developing what I would guess is someone's sig file here. What this thing is they mention in relation to what's "going through" boinc, I have no clue. The ip address given is someone in the forum here, not someone being attacked by the forum here. It appears several times in my web logfile fetching some of the graphics from my computer that I have on the forum here, so it's someone browsing the forum. Unfortunately, their browser isn't reporting all the available info, so I can't determine what particular threads they're reading. My initial paranoia guess would be that someone is embedding something in their graphics, and my initial non-paranoia guess would be that someone just has some really crappy html code in there somewhere that's causing some errors. ---here's the babel fish translation--- So I times an update brought in, with which I can merge now directly left and pictures here into the News, which did not go before. I will strive now times for the comments, possibly hear their later again of me. lake ya * UPDATE * thus with the Kommmentaren, I now simply times with another background colour solved, whereby that does not fit so completely naturally coloured, but is now first times secondary, Main thing it functions. Related left: by andY.fRa (20.3.2004, 17:43) [ 0 comments ] Newsscript update Thus I have times a forum furnished, please all to announce and also industriously use;) GR forum greeting Related left: by andY.fRa (29.2.2004, 20:58) [ 0 comments ] Forum Thus I will shortly times nen forum to uppen and then would like I suggestion/suggestion for hopefully times soon the developing PAGE, it is clearly it no hammer PAGE, since none has here correctly experience, but is nich further tragically, will update can one the whole then also:) Achja, I would then gladly know also who would offer itself also parts to take over, and regularly News, all the same from whatever range is welcomely. Thus new editors. A new Newsscript I will also merge, the current have me too many restrictions. Then to BOINC, some go through there already good, which makes me happy, but some and to count simply no more did not announce themselves. Harm. lake ya andY Related left: by andY.fRa (29.2.2004, 15:38) [ 0 comments ] Call So most will now ask themselves: What is BOINC? Nunja it is a platform of the university of Berkeley, in order to make projects possible such as SETI more simply, to time is the whole still in the beta test, for the moment runs only SETI over this platform later is however also different things such as climate forecast on it to run. Thus even if their desire have to extraterrestial ones to search and whole finally from the beta status rauszurechnen, provides here an account. _ then downloaded it the Client. Naturally I have also directly times a new team provided which it as fast as possible joinen should. I hope for active participation andY Related left: by andY.fRa (7.1.2004, 18:55) [ 2 comments ] BOINC We write the year 2oo3 to still 1271 minutes up to the turn of the year! I hope it have already all a place where it you besaufen can:) We have case of up each a nice and warm place with Benjamin call in pig home! Again thanks for the nice Saufunterkunft: ] Now want you nevertheless surely to know which we now everything for the Sauflager to have, gell? I you there surprised! :) 1l apple liquor, 2l apple wine, 1l Baileys, 1l Pflaeumchen, 2 box BrownShuga, 1 box shrink from Radler, min. 1l Vodka + Bitterlemon, evtl moose blood, 1l Ramazotti I would say the pear to 10. (we are 10 people) can one nevertheless completely well away-drink itself: > Perhaps have you you also in demand which we to eat? Perhaps how you know those is GR crew zufaul something to cook therefore hope themselves we that a delivery service has openly and us poor per a Pizza sends! Thank you already times to this delivery service, you are really sharpens! :) We will also very probably shoot some Mbyte of pictures! then the case of up each on the homepage come! (will then under Related left zufinden to be!) Hold for you already times firmly these pictures become surely very merry! I believe now know it more about the party, as if some those to the Silvesterbesaeufnis come! More comes reliably to the celebration! Perhaps one is see/written at the o1.o1.2oo4! MFG dAN1 Related left: by ` dAN1^ (31.12.2003, 2:49) [ 4 comments |
Bill Barto Send message Joined: 28 Jun 99 Posts: 864 Credit: 58,712,313 RAC: 91 |
I recently had the same thing but am still running ver 3.19. This is what my norton reported: Details: Attempted Intrusion "HTTP_ActivePerl_Overflow" from your machine against 81.86.90.59 was detected and blocked Intruder: localhost(3032) Risk Level: Medium Protocol: TCP Attacked IP: 81.86.90.59 Attacked Port: http(80) It is a site in the UK. |
BigDawg Send message Joined: 16 Apr 04 Posts: 113 Credit: 6,927 RAC: 0 |
yep, that is the one in the uk i mentioned. This is above my head so i will have to trust norton to keep it blocked. I am leaning towards Darrens paranoia guess. And a big thank you to darren for the time he put in for us!!!!!!!!! |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
My initial paranoia guess would be that someone is embedding something in their graphics ---- If my understanding of it is correct, we might have users with a german and UK ISP spreading some craps arround just by surfing the message board ? Like Bill said it's also over my head here and I will make sure Norton is running and updated. |
Darren Send message Joined: 2 Jul 99 Posts: 259 Credit: 280,503 RAC: 0 |
> If my understanding of it is correct, we might have users with a german and UK > ISP spreading some craps arround just by surfing the message board ? > Like Bill said it's also over my head here and I will make sure Norton is > running and updated. Someone will eventually come along who understands it and will fill everyone in, as most of it is over my head too. Of course it's possible that someone is doing something really malicious, but remember that you don't have much code space to work with here and you're code is visible to anyone who replies to your message (for example, if you click to reply to this message, you can see the code that generates my sigfile) so anyone doing anything malicious would be found out pretty quickly as someone would see the code and recognize that it isn't what should be there. Also, it would be unlikely that they could do anything really bad with what they would have to work with, especially considering that most people only load the graphics here passively and don't try to click on them to see if they have a hyperlink. If they linked an executable to the image as a hyperlink, then clicking on it and letting it execute could cause more of a problem. On the site here, it would be more along the comparison of an attachment in an email - unless you act on it, it's *somewhat* limited in what it could do automatically. That said, the people with norton or some such software that reports this could probably at least narrow it down to the offending thread by opening a thread, waiting on it to fully load and seeing which thread their in when the message appears. |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
Many thanks for your help Darren. I wounder, will these threads be somehow forwarded to the Boinc team. I guess they are the one, or the web master who could trace and act accordingly. Like you said "Someone will eventually come along who understands it and will fill everyone in". sorry for the copy/paste coulldn't find a better way to say it. "If they linked an executable to the image as a hyperlink, then clicking on it and letting it execute could cause more of a problem" Well I did click once on a hyperlink. It can be found on this thread http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1519 I am not making any suspicious assumption, just providing information that might help finding the problem. Best regards Marc |
BigDawg Send message Joined: 16 Apr 04 Posts: 113 Credit: 6,927 RAC: 0 |
ok, i went back and visited all the threads since this started and these 2 threads cause the attack for the de site on my machine http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1370 http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1477 |
Petit Soleil Send message Joined: 17 Feb 03 Posts: 1497 Credit: 70,934 RAC: 0 |
I Don't know if it has something to do with our problem but I've got a Confidentiality report at the bottom of IE screen when I've visited the first one. http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1370 |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.