I am running Norton Internet Security 2007 and have come across a bunch of stuff that just dosn't seem right.
It started about a week ago when I was running live update and could not update the firewall. I have tried numerous times and, until last night, everything but the firewall updated fine.
A couple of days ago I started looking at the firewall and found all sorts of rules that wern't there before. Could be because I set the firewall to handle known programs automatically (probably a bad idea).
However, one rule in program control gave full in and outbound permission to 'system'. As I understand it, any process supposedly initiated by the system can go out over the network or be interogated from the network.
I started looking into Norton logs last night and found that, over the last two weeks, something had been trying to access a series of norton programs, files and registry entries and was blocked. The log entries stop on 10/31.
Here is an entry from 10/23:
Event Details:
Actor: C:\WINDOWS\SYSTEM32\SVCHOST.EXE (PID=888)
Target: C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
I checked the firewall log and found that something was updating my firewall rules every 2 to 10 minutes yesterday, and again several times today. Two rules have been created in the last two days.
Here is one of them:
Details: A rule has been created to "permit" communications.
Outbound UDP packet.
Local address, service is (99.236.76.157,netbios-dgm(138)).
Remote address, service is (99.236.77.255,netbios-dgm(138)).
Process name is "System".
There are also several entries allowing shared networking like inbound netbios. I have turned off the Norton firewall and turned on the xp firewall for now.
I also looked at browser activity and found a number of entries with sites I do not recognize like the following:
Details: Connection: a248.e.akamai.net: http(80).
from 99.236.76.157: 1551.
991 bytes sent.
26319 bytes received.
1:06.956 elapsed time.
I suppose some of the entries could be add content from legitamate sites, but the above entry sure dosn't look like anything recognizable.
There is another entry that appears many times that puzzles me. It shows both the local and remote ip addresses as 27.0.0.1
Otherwise, my computer and browser seem to be performing normally. Other than turning off the Norton Firewall, I am unplugging my network connection when not in use.
So, have I been assimilated? Am I an unwhitting bot?
Fred
It started about a week ago when I was running live update and could not update the firewall. I have tried numerous times and, until last night, everything but the firewall updated fine.
A couple of days ago I started looking at the firewall and found all sorts of rules that wern't there before. Could be because I set the firewall to handle known programs automatically (probably a bad idea).
However, one rule in program control gave full in and outbound permission to 'system'. As I understand it, any process supposedly initiated by the system can go out over the network or be interogated from the network.
I started looking into Norton logs last night and found that, over the last two weeks, something had been trying to access a series of norton programs, files and registry entries and was blocked. The log entries stop on 10/31.
Here is an entry from 10/23:
Event Details:
Actor: C:\WINDOWS\SYSTEM32\SVCHOST.EXE (PID=888)
Target: C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
I checked the firewall log and found that something was updating my firewall rules every 2 to 10 minutes yesterday, and again several times today. Two rules have been created in the last two days.
Here is one of them:
Details: A rule has been created to "permit" communications.
Outbound UDP packet.
Local address, service is (99.236.76.157,netbios-dgm(138)).
Remote address, service is (99.236.77.255,netbios-dgm(138)).
Process name is "System".
There are also several entries allowing shared networking like inbound netbios. I have turned off the Norton firewall and turned on the xp firewall for now.
I also looked at browser activity and found a number of entries with sites I do not recognize like the following:
Details: Connection: a248.e.akamai.net: http(80).
from 99.236.76.157: 1551.
991 bytes sent.
26319 bytes received.
1:06.956 elapsed time.
I suppose some of the entries could be add content from legitamate sites, but the above entry sure dosn't look like anything recognizable.
There is another entry that appears many times that puzzles me. It shows both the local and remote ip addresses as 27.0.0.1
Otherwise, my computer and browser seem to be performing normally. Other than turning off the Norton Firewall, I am unplugging my network connection when not in use.
So, have I been assimilated? Am I an unwhitting bot?
Fred
Facebook
Twitter