My firewall detect an "HTTP_ActivePerl_Overflow"
attack when surfing the message board.

It happen only here. I have surf the web for an hour
fine but it pops up about a minutes after enterring the board.

I nerver had that before upgrading to version 3.20
and I haven't changed anything here regarding protection level.

Here are what Symantec says ;

Some older versions of ActivePerl for Windows web servers may allow an attacker to execute arbitrary code at the privilege level of the web server process.

Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.

Am I the only one having this ? I would appreciate your feeling about this.

Thanks
Best regards
Marc

i am using norton firewall and am getting the same "HTTP_ActivePerl_Overflow".
and when i do the visual trace route it is always from the same 2 places. one in germany and one in uk.

Thanks Bill,
Here it's comming from somewhere.de
It only started today here, what about you ?

I got a very strange message, looks like it is saying that the attempted intrusion was FROM my machine! I hope this is just my Norton and Boinc 3.20 not getting along

Details: Attempted Intrusion "HTTP_ActivePerl_Overflow" from your machine against www.gr-crew.de(217.195.36.7) was detected and blocked
Intruder: localhost(2343)
Risk Level: Medium
Protocol: TCP
Attacked IP: www.gr-crew.de(217.195.36.7)

<A> [/url]

looks like lloyd has the same attack we do, it is from the same place

This is all the info i can find on the de attack
ip: 217.195.36.7
inetnum: 217.195.36.0 - 217.195.36.127
netname: NETCLUSIVE-NET
descr: [netclusive] - internet broadcasting
descr: Schloss Westerburg, 56457 Westerburg, Germany
country: DE
admin-c: CS2139-RIPE
tech-c: CS2139-RIPE
status: ASSIGNED PA
mnt-by: SSERV-NET
changed: netmaster@sserv.de 20031211
source: RIPE

hope it helps you,and if it does could you please share the info with me, thanks

Exactly the same adress here. I've tracert the adress but appart from getting the DNS "Phoebe.netclusive.de 217.195.36.7" It's not tracing. I'm far from being a net specialist and thats all I can check and tell.

If I am understanding what my Norton says, it is saying the "attempt" was from MY machine attacking http://www.gr-crew.de/ Why how or who that is I don't know. I went to that site but I can't read it.
<A> [/url]

we need to find someone that can read german for us and translate it

The only .de site I have visited so far is the Boincstats found on the statistics and leaderboards page.

http://www.saschapfalz.de/boincstats/boinc-stats.php

The site never worked for me and behaved king of strange.
Could this be related ?

I'm going off for a bit to scan my machine, If I have a bug I don't want to spread it although I think the Norton fire wall stopped what ever it was. I'm going to make sure.
<A> [/url]

i went to that one also, but i also went to clawhammers and guidos de sites

i am going to do a sys scan on mine also, good idea lloyd

One thing for sure is that even if we can't read what's on the
http://www.gr-crew.de web site it has links towards Boinc and some
team stats and stuff.

I will also make good cleanup of my machine and see if it happens again.

This is a bit long, but following is the translation of the page by babel fish. It appears it's just discussing developing what I would guess is someone's sig file here. What this thing is they mention in relation to what's "going through" boinc, I have no clue.

The ip address given is someone in the forum here, not someone being attacked by the forum here. It appears several times in my web logfile fetching some of the graphics from my computer that I have on the forum here, so it's someone browsing the forum. Unfortunately, their browser isn't reporting all the available info, so I can't determine what particular threads they're reading.

My initial paranoia guess would be that someone is embedding something in their graphics, and my initial non-paranoia guess would be that someone just has some really crappy html code in there somewhere that's causing some errors.

---here's the babel fish translation---

So
I times an update brought in, with which I can merge now directly left and pictures here into the News, which did not go before.
I will strive now times for the comments, possibly hear their later again of me.

lake ya

* UPDATE *

thus with the Kommmentaren, I now simply times with another background colour solved, whereby that does not fit so completely naturally coloured, but is now first times secondary,
Main thing it functions.

Related left:
by andY.fRa (20.3.2004, 17:43)

[ 0 comments ]


Newsscript update

Thus I have times a forum furnished, please all to announce and also industriously use;)

GR forum

greeting

Related left:
by andY.fRa (29.2.2004, 20:58)

[ 0 comments ]


Forum

Thus I will shortly times nen forum to uppen and then would like I suggestion/suggestion for hopefully times soon the developing PAGE, it is clearly it no hammer PAGE, since none has here correctly experience, but is nich further tragically, will update can one the whole then also:)
Achja, I would then gladly know also who would offer itself also parts to take over, and regularly News, all the same from whatever range is welcomely. Thus new editors.

A new Newsscript I will also merge, the current have me too many restrictions.

Then to BOINC, some go through there already good, which makes me happy, but some and to count simply no more did not announce themselves. Harm.

lake ya andY

Related left:
by andY.fRa (29.2.2004, 15:38)

[ 0 comments ]


Call

So
most will now ask themselves:
What is BOINC?
Nunja it is a platform of the university of Berkeley, in order to make projects possible such as SETI more simply, to time is the whole still in the beta test, for the moment runs only SETI over this platform later is however also different things such as climate forecast on it to run.

Thus even if their desire have to extraterrestial ones to search and whole finally from the beta status rauszurechnen, provides here an account.

_ then downloaded it the Client.

Naturally I have also directly times a new team provided which it as fast as possible joinen should.

I hope for active participation
andY

Related left:
by andY.fRa (7.1.2004, 18:55)

[ 2 comments ]


BOINC

We write the year 2oo3 to still 1271 minutes up to the turn of the year! I hope it have already all a place where it you besaufen can:) We have case of up each a nice and warm place with Benjamin call in pig home! Again thanks for the nice Saufunterkunft: ]
Now want you nevertheless surely to know which we now everything for the Sauflager to have, gell? I you there surprised! :)
1l apple liquor, 2l apple wine, 1l Baileys, 1l Pflaeumchen, 2 box BrownShuga, 1 box shrink from Radler, min. 1l Vodka + Bitterlemon, evtl moose blood, 1l Ramazotti
I would say the pear to 10. (we are 10 people) can one nevertheless completely well away-drink itself: >
Perhaps have you you also in demand which we to eat? Perhaps how you know those is GR crew zufaul something to cook therefore hope themselves we that a delivery service has openly and us poor per a Pizza sends! Thank you already times to this delivery service, you are really sharpens! :)
We will also very probably shoot some Mbyte of pictures! then the case of up each on the homepage come! (will then under Related left zufinden to be!) Hold for you already times firmly these pictures become surely very merry!
I believe now know it more about the party, as if some those to the Silvesterbesaeufnis come! More comes reliably to the celebration!
Perhaps one is see/written at the o1.o1.2oo4!

MFG
dAN1

Related left:
by ` dAN1^ (31.12.2003, 2:49)

[ 4 comments

I recently had the same thing but am still running ver 3.19. This is what my norton reported:

Details: Attempted Intrusion "HTTP_ActivePerl_Overflow" from your machine against 81.86.90.59 was detected and blocked
Intruder: localhost(3032)
Risk Level: Medium
Protocol: TCP
Attacked IP: 81.86.90.59
Attacked Port: http(80)

It is a site in the UK.

yep, that is the one in the uk i mentioned. This is above my head so i will have to trust norton to keep it blocked. I am leaning towards Darrens paranoia guess.

And a big thank you to darren for the time he put in for us!!!!!!!!!

My initial paranoia guess would be that someone is embedding something in their graphics

----

If my understanding of it is correct, we might have users with a german and UK ISP spreading some craps arround just by surfing the message board ?
Like Bill said it's also over my head here and I will make sure Norton is running and updated.

> If my understanding of it is correct, we might have users with a german and UK
> ISP spreading some craps arround just by surfing the message board ?
> Like Bill said it's also over my head here and I will make sure Norton is
> running and updated.

Someone will eventually come along who understands it and will fill everyone in, as most of it is over my head too. Of course it's possible that someone is doing something really malicious, but remember that you don't have much code space to work with here and you're code is visible to anyone who replies to your message (for example, if you click to reply to this message, you can see the code that generates my sigfile) so anyone doing anything malicious would be found out pretty quickly as someone would see the code and recognize that it isn't what should be there.

Also, it would be unlikely that they could do anything really bad with what they would have to work with, especially considering that most people only load the graphics here passively and don't try to click on them to see if they have a hyperlink. If they linked an executable to the image as a hyperlink, then clicking on it and letting it execute could cause more of a problem. On the site here, it would be more along the comparison of an attachment in an email - unless you act on it, it's *somewhat* limited in what it could do automatically.

That said, the people with norton or some such software that reports this could probably at least narrow it down to the offending thread by opening a thread, waiting on it to fully load and seeing which thread their in when the message appears.

Many thanks for your help Darren.

I wounder, will these threads be somehow forwarded to the Boinc team. I guess they are the one, or the web master who could trace and act accordingly. Like you said "Someone will eventually come along who understands it and will fill everyone in". sorry for the copy/paste coulldn't find a better way to say it.

"If they linked an executable to the image as a hyperlink, then clicking on it and letting it execute could cause more of a problem"

Well I did click once on a hyperlink. It can be found on this thread
http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1519

I am not making any suspicious assumption, just providing information that might
help finding the problem.

Best regards
Marc

ok, i went back and visited all the threads since this started and these 2 threads cause the attack for the de site on my machine

http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1370
http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1477

I Don't know if it has something to do with our problem but I've got a
Confidentiality report at the bottom of IE screen when I've visited the first one.

http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1370