Attempted "HTTP_ActivePerl_Overflow" from my machi

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: purcell PostPosted: Mon Jan 10, 2005 9:53 pm    Post subject: Attempted "HTTP_ActivePerl_Overflow" from my machi
    ----
I am using Norton Personal Firewall 2003 on a Win 2K pc, and it threw up this odd Intrusion Detection notice recently:

Attempted Intrusion "HTTP_ActivePerl_Overflow" from your machine against 63.211.210.218 was detected and blocked
Intruder: 0.0.0.0(2384)
Risk Level: Medium
Protocol: TCP
Attacked IP: 63.211.210.218
Attacked Port: http(80)


Can anyone help me out here to understand what this means? An attempted intrusion FROM my machine? I haven't attempted to intruded into anything. Shocked
I don't understand:
1. What HTTP_ActivePerl_Overflow means.
2. What 0.0.0.0(2384) means.
3. Why there was an intrusion attempt FROM my machine.

thanking you.

Author: neewtLocation: Sweden PostPosted: Tue Jan 11, 2005 1:49 am    Post subject:
    ----
Hi Purcell.
First off, when handling with alerts caused by IDS's or similar systems, it's generelly a good idea to get some more information on the rule (that triggers the alert) itself. Many times, IDS's causes false positives (or false negatives etc), and those might sometimes be described in those documents.

For this specific alert, Symantecs "info-page" is located here http://securityresponse.symantec.com/avcenter/nis_ids/sigs/http_activeperl_overflow.html
From what I can read of that url, you are either (somehow) trying to exploit an old security-hole on the targeted webserver, or just dealing with a false alert.

I quote the url above:
Quote:
Older versions of ActivePerl on Windows have a buffer overflow vulnerability. An attacker can exploit this vulnerability to execute arbitrary code at the privilege level of the Web server process. This signature detects attempts to exploit the ActivePerl vulnerability through HTTP.


As I said, this signature is triggered by an attempted exploitation of the ActivePerl vulnerbility (more on this specific vuln can be found on the url above)

This specific signature are known to be able to cause false alerts, therefor Symantec has chosen to put a couple of word on this:
Quote:
This signature may not indicate malicious intent if ActivePerl versions other than those listed above are used or ActivePerl is not used at all. In this case, you can exclude this signature from monitoring.


The bug iself is described like this (on CVE)ttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0815

Quote:
Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.


So the rule is probably triggered when an very long filename with an .pl-extention (which is a perl-cgi-script or something similar) is seen.

So, if you are not running an webserver (with activePerl enabled) you can probably just ignore the alert. This is nothing odd, all Intrusion Detection Systems are faced with false alerts to some extent.

Another thing, wouldn't it be easier if symantec released their rules-file in the open, for us to see what the rule is triggered on? Me myself have several Snort-sensors running, and I have great value in being able to examine the signatures..

Hope this helps to some extent, and also for someone to perhaps verify this Smile

Cheers

Author: purcell PostPosted: Thu Jan 13, 2005 10:31 pm    Post subject:
    ----
Thank you for your detailed reply. (Odd thing, after I posted this question, when I tried to return to security-forums.com it kept directing me to some other site, darknet something or other--strange. But I digress.)

It probably was just a false alert as I don't think there is anything on my system which might do this. But I can't seem to understand what this ActivePerl thing is (maybe it's related to Perl programming language?)

I did notice that the IP that the "attack" was directed towards was listed in my windows HOSTS file (redirecting the url to 127.0.0.1), so maybe that had something to do with it. Well, thanks for your help.

Author: neewtLocation: Sweden PostPosted: Fri Jan 14, 2005 12:49 am    Post subject:
    ----
purcell wrote:
Thank you for your detailed reply. (Odd thing, after I posted this question, when I tried to return to security-forums.com it kept directing me to some other site, darknet something or other--strange. But I digress.)

Well, security-forums have had some problems a couple of days, and on the "first page" you can see a post about that

Quote:

It probably was just a false alert as I don't think there is anything on my system which might do this. But I can't seem to understand what this ActivePerl thing is (maybe it's related to Perl programming language?)
As I said, the rule is probably triggered when an long perl-filename is requested (in this case by you, thats why the "intrusion" comes from you). The perl-programming-language can be (and are) used as CGI, that is, a script that executes at the server.



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group