• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Attempted "HTTP_ActivePerl_Overflow" from my machi

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
purcell
Just Arrived
Just Arrived


Joined: 13 Aug 2004
Posts: 0


Offline

PostPosted: Mon Jan 10, 2005 9:53 pm    Post subject: Attempted "HTTP_ActivePerl_Overflow" from my machi Reply with quote

I am using Norton Personal Firewall 2003 on a Win 2K pc, and it threw up this odd Intrusion Detection notice recently:

Attempted Intrusion "HTTP_ActivePerl_Overflow" from your machine against 63.211.210.218 was detected and blocked
Intruder: 0.0.0.0(2384)
Risk Level: Medium
Protocol: TCP
Attacked IP: 63.211.210.218
Attacked Port: http(80)


Can anyone help me out here to understand what this means? An attempted intrusion FROM my machine? I haven't attempted to intruded into anything. Shocked
I don't understand:
1. What HTTP_ActivePerl_Overflow means.
2. What 0.0.0.0(2384) means.
3. Why there was an intrusion attempt FROM my machine.

thanking you.
Back to top
View user's profile Send private message
neewt
Just Arrived
Just Arrived


Joined: 14 May 2004
Posts: 2
Location: Sweden

Offline

PostPosted: Tue Jan 11, 2005 1:49 am    Post subject: Reply with quote

Hi Purcell.
First off, when handling with alerts caused by IDS's or similar systems, it's generelly a good idea to get some more information on the rule (that triggers the alert) itself. Many times, IDS's causes false positives (or false negatives etc), and those might sometimes be described in those documents.

For this specific alert, Symantecs "info-page" is located here http://securityresponse.symantec.com/avcenter/nis_ids/sigs/http_activeperl_overflow.html
From what I can read of that url, you are either (somehow) trying to exploit an old security-hole on the targeted webserver, or just dealing with a false alert.

I quote the url above:
Quote:
Older versions of ActivePerl on Windows have a buffer overflow vulnerability. An attacker can exploit this vulnerability to execute arbitrary code at the privilege level of the Web server process. This signature detects attempts to exploit the ActivePerl vulnerability through HTTP.


As I said, this signature is triggered by an attempted exploitation of the ActivePerl vulnerbility (more on this specific vuln can be found on the url above)

This specific signature are known to be able to cause false alerts, therefor Symantec has chosen to put a couple of word on this:
Quote:
This signature may not indicate malicious intent if ActivePerl versions other than those listed above are used or ActivePerl is not used at all. In this case, you can exclude this signature from monitoring.


The bug iself is described like this (on CVE)ttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0815

Quote:
Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to exute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.


So the rule is probably triggered when an very long filename with an .pl-extention (which is a perl-cgi-script or something similar) is seen.

So, if you are not running an webserver (with activePerl enabled) you can probably just ignore the alert. This is nothing odd, all Intrusion Detection Systems are faced with false alerts to some extent.

Another thing, wouldn't it be easier if symantec released their rules-file in the open, for us to see what the rule is triggered on? Me myself have several Snort-sensors running, and I have great value in being able to examine the signatures..

Hope this helps to some extent, and also for someone to perhaps verify this Smile

Cheers
Back to top
View user's profile Send private message Send e-mail Visit poster's website
purcell
Just Arrived
Just Arrived


Joined: 13 Aug 2004
Posts: 0


Offline

PostPosted: Thu Jan 13, 2005 10:31 pm    Post subject: Reply with quote

Thank you for your detailed reply. (Odd thing, after I posted this question, when I tried to return to security-forums.com it kept directing me to some other site, darknet something or other--strange. But I digress.)

It probably was just a false alert as I don't think there is anything on my system which might do this. But I can't seem to understand what this ActivePerl thing is (maybe it's related to Perl programming language?)

I did notice that the IP that the "attack" was directed towards was listed in my windows HOSTS file (redirecting the url to 127.0.0.1), so maybe that had something to do with it. Well, thanks for your help.
Back to top
View user's profile Send private message
neewt
Just Arrived
Just Arrived


Joined: 14 May 2004
Posts: 2
Location: Sweden

Offline

PostPosted: Fri Jan 14, 2005 12:49 am    Post subject: Reply with quote

purcell wrote:
Thank you for your detailed reply. (Odd thing, after I posted this question, when I tried to return to security-forums.com it kept directing me to some other site, darknet something or other--strange. But I digress.)

Well, security-forums have had some problems a couple of days, and on the "first page" you can see a post about that

Quote:

It probably was just a false alert as I don't think there is anything on my system which might do this. But I can't seem to understand what this ActivePerl thing is (maybe it's related to Perl programming language?)
As I said, the rule is probably triggered when an long perl-filename is requested (in this case by you, thats why the "intrusion" comes from you). The perl-programming-language can be (and are) used as CGI, that is, a script that executes at the server.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register