Intrusion attempt?

Associate
Joined
15 Dec 2003
Posts
1,180
Location
bedroom
Hi,

My Norton firewall popped up a few times today, I managed to jot down the details from the last intrusion detection. Can someone tell me what this means?

Norton internet security has detected and blocked an intrusion attempt:

Intrusion: HTTP Cobal Raq Apache Disclosure
Intruder: localhost (2645)
Risk level: Medium
Protocol: TCP.
Attacked IP: WWW.wolfenstein-et.co.uk(195.62.28.19)
Attacked port: http (80)

Cheers
 
Port 80 is the HTTP port!? Anyway its needed to browse the internet anyway. Maybe the site was trying to see what system you were running or something. Ignore it. Doesn't seem serious.

Just seen that it says that it's the HTTP port. Where you on that site or go on it regularly? Pop up?


On another note: Bring back quick reply!!!
 
Last edited:
No I wasn't browsing or anything, I was busy defragging my pc, then got a pop up message from the firewall,... I got it twice afterwards while I was doing some 3d work... Im on a wireless broadband network, So im always connected to the net.

I'v never visited that site ever. I'm the only one on this PC. :S
 
Ignore it. If you took notice of every 'intrustion attempt' then you'd be forever writing things down.

Most home firewalls and the like are overly sensitive and seem to interpret everything as a DDOS attack or similar.
 
Firstly - Burberryflop is right. Don't be concerned. Your firewall will often nag you to say you are "being hacked". This is kinda daft. It is like the software is shouting "look, I am clever, I am doing what I was paid for". So if you get a message - then the attack was blocked. :rolleyes:

You only need to worry when you don't see the message and the hack bypasses the wall.... :eek:

As to the actual report...
prince said:
Intrusion: HTTP Cobal Raq Apache Disclosure
Intruder: localhost (2645)
Risk level: Medium
Protocol: TCP.
Attacked IP: WWW.wolfenstein-et.co.uk(195.62.28.19)
Attacked port: http (80)

Look at the words used, and you will see that this is a very confused message. Probally a dud recognition. "localhost" is another name for your own PC. So this message is telling us that your PC contacted the Wolfenstein Enemy Territory website. That is what "http Port 80" is for. :D

[sarcasm mode]Oooo what a surprise that Norton is talking rubbish again.... [/sarcasm mode] It has been over protective and recognised something healthy as a virus. My guess is you have a copy of Wolfenstein installed. When you fired it up, a probe was sent out to check for an update. (or maybe looking for other Wolfenstien servers or summit)

Basically - don't worry about it. :D
 
A small "PS" to my above post.....

Have a look at that website guys.... and there is a message posted as follows:

"Sorry, due to people that cant leave this site alone, it has now been taken down. It might come back it might not

I might add a forum later on. Sorry guys.
"

That sounds like someone has been attacking that site. Now this does make me wonder.... there is the possibility that you ARE taking part in a DDoS on that site. Hit the Update buttons in NIS and then do a full scan of your PC.

Actually, better than that. Install AVG (http://free.grisoft.com) and do a second scan of your PC with that as well. There is a possibilty that your PC is part of a zombie network and is attacking the Wolfenstien site.... :confused:
 
MAllen said:
A small "PS" to my above post.....

Have a look at that website guys.... and there is a message posted as follows:

"Sorry, due to people that cant leave this site alone, it has now been taken down. It might come back it might not

I might add a forum later on. Sorry guys."

That sounds like someone has been attacking that site. Now this does make me wonder.... there is the possibility that you ARE taking part in a DDoS on that site. Hit the Update buttons in NIS and then do a full scan of your PC.

Actually, better than that. Install AVG (http://free.grisoft.com) and do a second scan of your PC with that as well. There is a possibilty that your PC is part of a zombie network and is attacking the Wolfenstien site.... :confused:

Thats what I was thinking:O doing a full scan now. I dont have Wolfenstein installed on the PC, never played it.Thanks for the replies guys:)
 
Last edited:
What are you scanning with? If only NAV, then it is worth getting the free copy of AVG as well. Just don't install the "resident" mode. Just use it as an "on demand scanner" to double check if Norton missed anything.

Also may be worth running HiJackThis and then posting the logs up here. I'll make sense of them for you as I am now home for the next few hours. :D
 
Also - look in the Norton logs and see how many things have been blocked from your PC. Is it just a single probe, or are there hundreds?
 
HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 17:09:32, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Documents and Settings\Rasel\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/england/west_midlands/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec
Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec
Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth
Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth
Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -
http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {34260DAF-318A-4B5A-8778-A861CF2108A5} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} (VPlayer Control) -
http://www.wherethebloodyhellareyou.com/player/vivid_ocx.jpeg
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) -
http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) -
http://gameadvisor.futuremark.com/global/msc37.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth
Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive
Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio
Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio
Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio
Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet
Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp
Utilities 2006\WinStylerThemeSvc.exe

Im also scanning the PC right now with NAV.
 
MAllen said:
Also - look in the Norton logs and see how many things have been blocked from your PC. Is it just a single probe, or are there hundreds?


Edit: 3 blocked attempts
 
Last edited:
Yep - NAV is rubbish, and AVG is pretty good. Especially as it costs nothing for home use. No AV product can be perfect though, but IMHO Symantec is now run by Marketing Loonies and the Techies don't seem as involved now. The software, especially NIS, has become bloated rubbish which doesn't properlly update and spends too much of it's time blocking innocent programs like Outlook (a bit OT for this thread.... but I am an IT Engineer who spends his day fixing this kinda issue :rolleyes: ....)


I agree with oddjob62 - "C:\WINDOWS\StartupMonitor.exe" What is this? Go find the program and check it's properties. Maybe even use MSCONFIG to stop it running at startup everytime.

And you have a HUGE pile of excess programs running here. I assume you must have tons of RAM installed then? I also notice you are obviously rich enough to afford both 3DStudio Max and AutoCAD :p ... or may just be "demoing" some dodgy pirate copies. Do you really trust those keygens? Some of them are just good old fashioned viruses. (We can't talk pirate software on here, so that is the end of those comments...)


From a fast look over that list, I am only really suspicious about StartupMonitor.exe. I would like to know what that is. Otherwise, I can't see anything obvious.

As you have only had three probes sent out, that isn't exactly a DoS. So I would probally ignore it as harmless.... easy way to tell is try uninstalling Wolfenstein for a while and see if it stops.

Maybe worth you having a play with msconfig (type it into the Run prompt). Go to the "Startup" page and try unticking some of the stuff you aren't actually using. You will be surprised how much memory you can free up.

If you are using msconfig - stay away from the other pages. Espcially Services. You can mess around with the "startup" page as much as you like without messing up your PC. Worst thing you could do is disable an autoupdate of a program or two. Whereas if you turn off the wrong thing on the Services page, your PC could become unbootable.

I'm off out now, but I'll help you more tommororow. :D
 
P.S. from a quick Google of StartupMonitor it looks like it is harmless. In fact, it looks like it is a program to restrict changes to the progams that start with your PC. So it will probally start shouting at you as you play with MSCONFIG. :D
 
MAllen said:
From a fast look over that list, I am only really suspicious about StartupMonitor.exe. I would like to know what that is. Otherwise, I can't see anything obvious.

As you have only had three probes sent out, that isn't exactly a DoS. So I would probally ignore it as harmless.... easy way to tell is try uninstalling Wolfenstein for a while and see if it stops.

Maybe worth you having a play with msconfig (type it into the Run prompt). Go to the "Startup" page and try unticking some of the stuff you aren't actually using. You will be surprised how much memory you can free up.

If you are using msconfig - stay away from the other pages. Espcially Services. You can mess around with the "startup" page as much as you like without messing up your PC. Worst thing you could do is disable an autoupdate of a program or two. Whereas if you turn off the wrong thing on the Services page, your PC could become unbootable.

I'm off out now, but I'll help you more tommororow. :D

Thanks for you help:) I got start up monitor from here http://www.mlin.net/StartupMonitor.shtml free prgram.
I dont have AutoCad, did try out the 3dmax trial.
I Use Lightwave3d , Cheaper..
Thanks for your help MAllen, I'll have a go at what you said:)

Cheers
 
Last edited:
If you did have AutoCAD and 3DMax, and then uninstalled them, then you will probally want to clean up the mess they left in msconfig. :) I can see calls in there to start parts of the programs up when you boot the PC.

If you need any of this explained, then I am around for most of the afternoon. :)
 
Back
Top Bottom