Hacking attempt?

[wacki]

My friend has been hacked into and lost about $10K as a result. He upgraded his security and whenever he browses a particular internet forum he gets this:


Details: Attempted Intrusion "ICC Profile TagData Overflow" against your machine was detected and blocked.
Intruder: 195.122.194.233(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: XXXXXXXXXXXXXXXXXXXX
Attacked Port: 2174.

Why would this happen only when he is browsing an intenet forum?

 

[InlineFive]

What IPS/IDS appliance is he using?

 

[wacki]

Originally posted by: InlineFive
What IPS/IDS appliance is he using?

Well I assume IPS is fancy term for firewall so:

He has Zone alarm pro and Norton. Norton is what set this off:

http://www.symantec.com/avcenter/attack_sigs/s21196.html

 

[blemoine]

IPS = Intrusion Prevention System

IPS is a hardware appliance that sits in front of your firewall and scans incoming traffic. It is used to not only detect an attack but to react to an attack based on a rule set. Most IPS systems use SNORT to detect the attack.


****GREAT ADVICE**** If your friend has lost $10k because he was "hacked" then Zone Alarm Pro & Symantec are not the answer. He needs to hire a proven IT Security Consultant. It may seem expensive to pay $100.00 + an hour but it will be worth it in the long run. A consultant who deals with banks will be your best bet.

 

[nweaver]

Originally posted by: blemoine
IPS = Intrusion Prevention System

IPS is a hardware appliance that sits in front of your firewall and scans incoming traffic. It is used to not only detect an attack but to react to an attack based on a rule set. Most IPS systems use SNORT to detect the attack.


****GREAT ADVICE**** If your friend has lost $10k because he was "hacked" then Zone Alarm Pro & Symantec are not the answer. He needs to hire a proven IT Security Consultant. It may seem expensive to pay $100.00 + an hour but it will be worth it in the long run. A consultant who deals with banks will be your best bet.

DING DING DING, Right answer. Please get them to the right people

 

[spike spiegal]

Yeah, hire a Security Consultant because Symantec is tripping out on a vulnerability in the Windows Color Management Module because Double Click still can't write forums ads correctly. Boy i'll sure lose sleep over that one.

Lot's of people whining about this - if you google the error message. Lower the security alerts in Symantec since it's nearly worthless anyways.

"My friend has been hacked into and lost about $10K as a result"


Tell your friend to use Firefox, or any browser besides Internet Explorer, and stop using the term 'hacked into' when what really happened is you got a Spyware/Trojan from being at a site you shouldn't have been.

 

[bwanaaa]

yea, malware installs itself EVEN INTO FIREFOX! use ewido to get stuff that even adaware and spybot miss.

 

[Unkno]

yea, not hacking, more like spyware.....firewalls and anti viruses are almost useless....use like spysweeper and/or microsoft defender

 

[RebateMonger]

Jeepers, folks. We don't know ANYTHING about the situation that this "friend" is in, or how he was "hacked" to begin with. "Hacked" could mean anything from a trojan to a worm to an emailed spoof to get his credit card number.

If the friend is a homeowner with one computer, unpatched Windows 98, is hooked directly to a cable modem, is opening up unsolicited email attachments and is clicking on web links saying, "Warning, your computer is slow! Click here to fix it.", then his problem isn't that he hasn't installed SNORT.

 

[FreshPrince]

tell your friend to implement a proxy server with application intelligence and point the browser to that proxy. it will strip out all malicious content. this will also break most homebanking sites so they will need to be added to the proxy's whitelist.

do not run windows with local admin id

change the internet explorer internet security settings to block everything for everyday browsing, and only place trusted sites urls in the "trusted sites" list. make sure to click on custom level and disable everything for the internet zone. if your friend needs to get homebanking site, put that url in the trusted sites zone. disable everything in the local intranet and restricted sites zones as well.

change the IE privacy setting in IE to block all 3rd party cookies and prompt all first party cookies. trusted sites like homebanking can be added to the always allow, all other sites should always block. also, turn pop-up blocker to hign and again only allow trusted sites for popups.

change the IE advanced section to disable all install on demand apps. do not enable 3rd party browser extensions. do not save encrypted pages to disk. empty temporary internet file folder when browser is closed.

change autocomplete to web addresses only. do not store form info or any passwords

make sure your friend has anti-virus and anti-spyware installed

make sure the host file is read only and check to make sure it isn't already compromised and re-routing your friend to malicious sites.

make sure your friend has a software based firewall installed and again, only whitelist trusted sites and block all others.

make sure to turn on data execution prevention (DEP) and allow no exceptions.

all the above should be applied immediately after a fresh xp install and before the ethernet cable is even connected to the network. once the above has been applied, connect the ethernet cable and immediate proceed to windows update and install all critical updates.

now your friends computer should be ready for internet use. all of this is very inconvenient and requires lots of training and practice. but once this becomes a habit for your friend, you can be assured that virtually no virus, spyware, or any data loss will ever happen again.

hope this helps.