Announcement

Collapse
No announcement yet.

Norton AntiVirus 2004 Reporting Internet Worm

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Norton AntiVirus 2004 Reporting Internet Worm

    I installed Norton Antivirus 2004 a month or so ago and in the past couple of days I have received several Internet Worm threats that NAV asks whether I want to permit or block. I have been blocking. Below are some of the log entries:

    Inbound TCP connection.
    Local address,service is (HOMESEER(192.168.2.3),http(80)).
    Remote address,service is (68.43.39.139,2160).
    Process name is "C:\Program Files\HomeSeer\HomeSeer.exe".

    Inbound TCP connection.
    Local address,service is (HOMESEER(192.168.2.3),http(80)).
    Remote address,service is (68.43.39.139,2115).
    Process name is "C:\Program Files\HomeSeer\HomeSeer.exe".

    Any ideas on what' up. I haven't looked for any info from Symantic. Thought I would check here first since its reporting HomeSeer as the process name.
    Jim Doolittle

    My Twitter
    My Hardware & Software

    #2
    You could always ask comcast

    pcp03576768pcs.wodhvn01.mi.comcast.net [68.43.39.139]


    2115 tcp trojan / bugs / kdm Bugs Trojan Horse / kdm
    2160 udp apc-cms APC Central Mgmt Server

    Stuart

    Comment


      #3
      Jim,
      You better delete that HomeSeer.exe program right away!


      ~Bill

      Comment


        #4
        Jim,
        These only appear to be http hits to your homseer web server. I wonder why NAV thinks they are worm hits.
        -Rupp
        sigpic

        Comment


          #5
          It is probably triggered by an http request trying to get a vbs script run on your computer. I tried to use vbs instead of batch files in a cgi function on my computer, and zone alarm blocked the attempt as an unsafe activity. Norton is probably doing the same thing due to all the scripting issues with windows.
          Why I like my 2005 rio yellow Honda S2000 with the top down, and more!

          Comment


            #6
            The worm protection was added to NAV in the 2004 version. Seems like they are slowly move NAV to include Norton Internet Security but not telling users in advance that they do not need to additionally pay for NIS.

            Anyhow, I have completely removed HomeSeer and no longer see any threats.
            Jim Doolittle

            My Twitter
            My Hardware & Software

            Comment


              #7
              Okay, just kidding. I would disconnect internet before removing HomeSeer . I will begin allowing some of these but first I will check some of the IPs first.

              Stuart, what did you use to find ComCast? WhoIs?

              Jim Doolittle

              My Twitter
              My Hardware & Software

              Comment


                #8
                Just run a tracert from a DOS window.
                ______________________________
                Skibumsplace - Locate Me

                Comment


                  #9
                  Skibum,

                  Thanks. I should have known that.
                  Jim Doolittle

                  My Twitter
                  My Hardware & Software

                  Comment


                    #10
                    I would look at the web server logs (if available) and see what the particular request was that triggered the notron alert.
                    Why I like my 2005 rio yellow Honda S2000 with the top down, and more!

                    Comment


                      #11
                      Originally posted by Jim Doolittle
                      I installed Norton Antivirus 2004 a month or so ago and in the past couple of days I have received several Internet Worm threats that NAV asks whether I want to permit or block. I have been blocking. Below are some of the log entries:

                      Inbound TCP connection.
                      Local address,service is (HOMESEER(192.168.2.3),http(80)).
                      Remote address,service is (68.43.39.139,2160).
                      Process name is "C:\Program Files\HomeSeer\HomeSeer.exe".

                      Inbound TCP connection.
                      Local address,service is (HOMESEER(192.168.2.3),http(80)).
                      Remote address,service is (68.43.39.139,2115).
                      Process name is "C:\Program Files\HomeSeer\HomeSeer.exe".

                      Any ideas on what' up. I haven't looked for any info from Symantic. Thought I would check here first since its reporting HomeSeer as the process name.
                      If I am reading your logs right, the destination port is 80 on your homeseer machine, not 2160 and 2115, so it looks like a machine on the internet is probing your webserver, since it's on a cable modem network, it's safe to say that this is just a worm randomly scanning your machine, no big deal (as long as the machine is patched). I strongly recommend against running any webserver on port 80.

                      To find out who owns a certain IP address, you can try a nslookup first (using the nslookup command of course), and if it doesn't resolve, then try arin.net (if it's an american IP address), ripe.net if it's european and apnic.net if it's asian-pacific.
                      HSPRO 2.4 (ESXi 4.1) | my.Alert NEW | my.Trigger | HSTouch | ACRF2 | UltraM1G | BLWeather | BLLan | Rover
                      (aka xplosiv)
                      Do You Cocoon? Home Automation News, Tutorials, Reviews, Forums & Chat

                      Comment


                        #12
                        Jim, fire up ethereal and filter the capture to just watch the web hits on your Homeseer box. I'll bet the remote client is infected and trying to install something on your machine via the HS web server. I use NAV 2004 and 2005 on several boxes here and I don't see any issues. If NAV can tell you what the threat is, check out the Security Response pages and find out what the thing is trying to do.
                        |
                        | - Gordon

                        "I'm a Man, but I can change, if I have to, I guess." - Man's Prayer, Possum Lodge, The Red Green Show
                        HiddenGemStudio.com - MaineMusicians.org - CunninghamCreativeMaine.website

                        Comment


                          #13
                          Jim,
                          I used tracert and also samspade.org which use to have a lot more information but was slimmed down in the past few months.
                          Stuart

                          Comment

                          Working...
                          X