Blocked because of ips attack что это
Wise Penguin
Поиск имен заголовков запросов
Fiddler — это удобный инструмент для поиска имен заголовков запросов. На следующем снимке экрана показаны заголовки запроса GET, которые содержат такие сведения, как тип содержимого, агент пользователя и т. д.
Использование списка исключений
Чтобы принять обоснованное решение об обработке ложноположительного результата, важно ознакомиться с технологиями, которые использует приложение. Предположим, что в вашем стеке технологий нет SQL Server, и вы получаете ложноположительные результаты, связанные с этими правилами. Отключение этих правил не всегда приводит к ослаблению безопасности.
Одним из преимуществ списка исключений является отключение только определенной части запроса. Однако это означает, что определенное исключение применяется ко всему трафику, проходящему через WAF, так как этот параметр является глобальным. Например, если 1=1 является допустимым текстом в запросе для определенного приложения, но не для других приложений, могут возникнуть проблемы. Еще одним преимуществом является возможность выбора между телом, заголовками и файлами cookie, которые следует исключать при выполнении определенного условия, вместо исключения всего запроса.
Бывают случаи, когда определенные параметры передаются в WAF способом, который не является интуитивно понятным. Например, при проверке подлинности с помощью Azure Active Directory передается маркер. Этот маркер, __RequestVerificationToken, как правило, передается в качестве файла cookie запроса. Однако в некоторых случаях, когда файлы cookie отключены, этот маркер также передается в качестве атрибута запроса ("аргумента"). В этом случае необходимо убедиться, что __RequestVerificationToken добавляется в список исключений вместе с именем атрибута запроса.
В этом примере необходимо исключить имя атрибута запроса, которое равно text1. Это очевидно, поскольку имя атрибута можно увидеть в журналах брандмауэра: данные: сопоставленные данные: 1=1, найдено в ARGS:text1: 1=1. Мы видим атрибут text1. Кроме того, имя этого атрибута можно найти несколькими другими способами. Они приведены в разделе Поиск имен атрибутов запроса.
All replies
Loading page content
Page content loaded
It looks like a scam. Just close your web browser window.
Aug 22, 2019 9:51 AM
I have tried that. Even restarted the computer.
Shows up in Safari and Chrome.
Aug 22, 2019 10:59 AM
Are you running any third party apps that claim to protect, clean, boost performance, etc.? If so, uninstall these apps.
Aug 22, 2019 11:02 AM
If your ISP was added to a blacklist, your ISP will know what to do—
Aug 22, 2019 11:02 AM
I also noticed that sometimes the URL is forwarded to:
Not sure if that helps or means anything.
Aug 22, 2019 11:02 AM
It means it is a scam.
Aug 22, 2019 11:03 AM
Just ran a scan using Malwarebytes software (had to download on another computer and copy over since affected computer is blocked from the internet) The scan came back clean, no issues.
Rebooted the the computer in Safe-Mode and still have the same issue.
Not sure how / why this would be a scam? since there are no options to resolve the problem. doesnt seem to be a scam.
Just seems that all internet traffic is somehow being blocked. even in Safe-Mode.
Aug 22, 2019 1:50 PM
So did you uninstall all third party apps that claim to protect, clean, etc.?
Aug 22, 2019 1:51 PM
I dont have any installed. other than Malwarebytes which I just installed today.
Also tried rebooting into Web Recovery mode (Command-Option-R) and that is also no able to reach out and connect to the internet.
Not sure what is going on.
Aug 22, 2019 2:03 PM
Well then try contacting your ISP as suggested by LeroyDouglas and ask them if they are blocking your access.
Aug 22, 2019 2:14 PM
What did your ISP say when you talked to them?
Aug 22, 2019 4:08 PM
Note that this is IPS, not ISP. It could be an “Intrusion Protection System” on your router. You could try restarting your router.
If that doesn’t work, or perhaps even it it it does, try running EtreCheckPro. EtreCheckPro is a diagnostic program I wrote to help show what might be causing problems like this. Download EtreCheckPro from https://www.etrecheck.com and run it. Create a new reply and use the "Notes" tool below to add your EtreCheck report.
Disclaimer: EtreCheckPro is my own app. EtreCheckPro is free to use but has in-app purchases available. Downloading EtreCheckPro or using it could give me some form of compensation, financial or otherwise.
Blocked because of IPS attack
An attack was detected, originating from your system. Please contact the system administrator.
This message was given during a login to a local wifi. I was denied then several times to login. I did run with chkhunter and he gave me just this line of suspicious outcome:
! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa
Which did not really help me. Since I have the feeling that the system behaves oddly, I do run now a scan with ClamAV and will probably reinstall to be sure. This happend after a third person had physical access to the PC by plugging an external USB HDD to my machine. He then stated (and this of course I could not know) that his PC (Windows) has no Antivirus (because it always nag him for being full of virus - what a logic. ) and his hdd was full of exe files he did not know of. I did not pay too much attention but this ips warning today did ring quite more then a bell. File permissions where on secure, the whole machine updated and no file was opened. So if I have any problem it must be (obligatorily) an exploit using the USB function. Yast showed malfunctioning thereafter and also strangely enough calling yast on a console. opened firefox. Curious.
Anyway, I wanted to know if I have full paranoia (and there is a known problem with server software stating that you are running IPS attacks or if this seems to be a real problem.
Posted it here, because, since the problem is absolutely exotic on a laptop machine, we do not have a group to host this request.
Logging in on the same network this afternoon does not give he error any more.
On 2010-10-01 14:36, stakanov wrote:
>
>> Blocked because of IPS attack
>>
>>
>> An attack was detected, originating from your system. Please contact
>> the system administrator.
>
> This message was given during a login to a local wifi. I was denied
> then several times to login.
I do not understand that message; and as you mention you had no problem to connect today, it was
probably false.
You should contact the administrator of that system and ask him to specify what attack exactly he
was referring to.
I searched for "IPS attack" in the wikipedia, and found none. IPS stands for "Intrusion-prevention
systems", it is not an attack.
IPS is the system that server uses to detect attacks from others - but they have to tell you what
attack it was.
While searching for this in google, I just accidentally went to a page that claimed to be scanning
my system for viruses, and finding them, in C:\ - which I don't have. It is obviously faking it all.
It claims to have found viruses, and triggers download and open of a "packupdate107_2204.exe" -
which I'm sure it is a trojan, but clamav does not detect it. Antivir does (TR/Dropper.Gen).
> Which did not really help me. Since I have the feeling that the system
> behaves oddly, I do run now a scan with ClamAV and will probably
> reinstall to be sure.
> This happend after a third person had physical
> access to the PC by plugging an external USB HDD to my machine. He then
> stated (and this of course I could not know) that his PC (Windows) has
> no Antivirus (because it always nag him for being full of virus - what a
> logic. ) and his hdd was full of exe files he did not know of.
Notice that "exes" can not run in linux, even if you "open" them.
I have a directory with some viruses. I "open" them with ease of mind, they are innocuous for me.
They don't "run".
The only way they can harm you is if you intentionally open them with wine, or load them into a
virtual machine with windows.
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)
As Carlos has said, it's probably a lame attempt to dupe an unsuspecting windows person into installing a trojan onto their machine. What you got doesn't make sense because the IPS intercepts bad traffic and attempts to remove the harmful part and report the details about the attack to the sys admin. It would not send the offender a message about them sending an IPS attack but may trigger the server to send out a flat Site unavailable or unreachable response
A lot of IPS systems report false-positive. So, don't worry.
Also, I am pretty much sure that a Windoze machine can not inject a virus into your machine via a USB stick.
Hello everybody and thanks to all.
I was somehow worried because the system behaved oddly afterwards. Still it is true that I do not know of a usb-wise attacks. I will however change to a policy to do exchanges of files only over the internet with my productive machine. I do somehow not trust the usb-port (on my machine is still running HAL and I do not know how maintained it is).
@Carlos: kind of you to remind me, in fact I always state that there is no need for a antivirus (as there is only a very few malware implementations around). However, I have to admitt to my dismay that I have sometimes to do with very creepy people trying to do me some "surprise" to say the minor. And they do not have written on their front: "I am one of the bad boys". So I was worried of something quite "personalized".
Besides: does anybody know the function of this line?
! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa
chkrootkithunter complained about it and asked I shall look after. With other words it did not expect to find that line of code. Apparently it is a root process, running with autorisation running on tcp? I would just like to understand the procedure that it is running and why. I did not even know that I have configured tty7.
.
Besides: does anybody know the function of this line?
! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa
.
That is for X. It occupies tty7.
stakanov wrote:
> Still it is true that I do not know of a usb-wise attacks.
attacking via removable devices is old as the hills. back in the
early 90's the easiest way to get infected was to insert an infected
floppy and bingo, your machine was infected and it would infect
_every_ floppy inserted (that was not write protected)..
and, the latest cyber warfare virus was created to infect via USB, see:
that it targeted Windows machines is known. but, with some thinking i
don't see why it couldn't be an attack vector for the unsuspecting
Linux user. just package some evil in an RPM, give'em a USB key and
tell'em install the new game/application/etc with YaST. bingo!
On 2010-10-02 13:06, stakanov wrote:
>
> Hello everybody and thanks to all.
> I was somehow worried because the system behaved oddly afterwards.
> Still it is true that I do not know of a usb-wise attacks. I will
> however change to a policy to do exchanges of files only over the
> internet with my productive machine. I do somehow not trust the usb-port
> (on my machine is still running HAL and I do not know how maintained it
> is).
HAL is not a problem. The content on the disk, might. Just make sure that the desktop is set to
mount the device, open it in a file browser, but not open files by default. Even less try to run files.
If the computer behaves oddly, then investigate.
Actually, I would trust more a usb disk than an internet connection. Even if it comes from a
doubtful source.
> @Carlos: kind of you to remind me, in fact I always state that there is
> no need for a antivirus (as there is only a very few malware
> implementations around). However, I have to admitt to my dismay that I
> have sometimes to do with very creepy people trying to do me some
> "surprise" to say the minor. And they do not have written on their
> front: "I am one of the bad boys". So I was worried of something quite
> "personalized".
Personalized malware can be a real danger. If you are the target of such things. uff :-(
> Besides: does anybody know the function of this line?
>
> Code:
> --------------------
> ! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa
> --------------------
>
>
> chkrootkithunter complained about it and asked I shall look after. With
> other words it did not expect to find that line of code. Apparently it
> is a root process, running with autorisation running on tcp? I would
> just like to understand the procedure that it is running and why. I did
> not even know that I have configured tty7.
I don't have it. I have the directory, not the file (11.2, gnome). I think that file could
appear/disappear on circumstances.
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)
On 2010-10-02 14:46, DenverD wrote:
> stakanov wrote:
>> Still it is true that I do not know of a usb-wise attacks.
>
> attacking via removable devices is old as the hills. back in the
> early 90's the easiest way to get infected was to insert an infected
> floppy and bingo, your machine was infected and it would infect
> _every_ floppy inserted (that was not write protected)..
You had to reboot the computer with that floppy inside, and you had to have "boot from floppy"
active in the computer. That applies for the boot sector virus, the first one that appeared. I knew
it quite well, I wrote an antivirus for it :-)
For the other type of virus, you needed to run one of the infected programs in the floppy, something
we soon learned not to do. I cleaned one or two of those with my bare hands, I mean, with a debugger
and hex editors.
Those were simple times :-)
Then some people started making a lot of money writing antiviruses. I'll never be a sucesfull
business man. :->
But the basics remains the same: connecting a floppy or an usb hard disk alone is not enough to
contaminate a computer.
That's would be a trojan, not a virus >:-)
] The virus has so far infected computers in Indonesia, India, the United States, Australia,
Britain, Malaysia and Pakistan. The biggest target, however, has been Iran and some believe the
virus was designed to attack Iran's nuclear facilities.
]
] The malware spreads via infected USB thumb drive memory sticks, exploiting vulnerabilities in the
Microsoft Windows operating system.
I assume windows loads it automatically and runs something on it, automatically as well. Cute.
]
] The super-virus attacks software programs that run on Supervisory Control and Data Acquisition, or
SCADA, systems, a product developed by Siemens and sold around the world, including to Iran. SCADA
is used to manage water supplies, oil rigs, power plants and other industrial facilities.
That's a targeted malware. I don't think scada was designed for security. I worked for a small
business that did control things, and we did not design for security. Our gadgets were not
networked, we used isolated computers. Now everything is networked. and that's a huge danger.
By the way, the first virus, "la pelotita", the bouncing ball, was said to be created as an
antitheft measure, for people that stole certain game copying it (pirating).
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)
People trying to exploit Linux boxes go after rooting servers hte payoff is much higher. Most of them don't even bother with Linux since Microsoft is just more numerous and easier to exploit and profit by.
Are you safe running Linux on the desktop? Nothing is 100% safe but you are certainly safer than you would be on a Windows box.
Поиск имен файлов cookie запроса
Если запрос содержит файлы cookie, можно выбрать вкладку Файлы cookie, чтобы просмотреть их в Fiddler.
Отключение правил
Еще один способ обойти ложноположительный результат — отключить правило, сработавшее на входных данных, которые WAF посчитал вредоносными. Так как вы проанализировали журналы WAF и выяснили, что сработало правило 942130, вы можете отключить его на портале Azure. См. статью Настройка правил брандмауэра веб-приложения на портале Azure.
Одним из преимуществ отключения правила является возможность отключить его для всего WAF, если известно, что весь трафик, содержащий определенное условие, которое обычно блокируется, является допустимым. Однако если такой трафик является допустимым лишь в определенном сценарии, отключение соответствующего правило для всего WAF приведет к уязвимости, так как этот параметр является глобальным.
Борьба с ложноположительными результатами
Имея эту информацию и зная, что именно правило 942130 соответствует строке 1=1, мы можем выполнить несколько действий, чтобы предотвратить блокирование нашего трафика:
использовать список исключений;
Дополнительные сведения о списках исключений см. в статье о конфигурации WAF.
Основные сведения о журналах WAF
Журналы WAF предназначены для отображения всех запросов, пропущенных или заблокированных WAF. Это реестр всех проверенных запросов, которые были пропущены или заблокированы. Если вы заметили, что WAF блокирует запрос, который не должен блокироваться (ложноположительный результат), можно выполнить несколько действий. Сначала ограничьте область и найдите конкретный запрос. Просмотрите журналы, чтобы найти конкретный URI, метку времени или идентификатор транзакции для запроса. Когда связанные записи журнала будут найдены, можно начинать обработку ложноположительных результатов.
Предположим, что у вас есть допустимый трафик, содержащий строку 1=1, который вы хотите передать через WAF. При попытке выполнить запрос WAF блокирует трафик, содержащий строку 1=1 в любом параметре или поле. Это строка часто связана с атакой путем внедрения кода SQL. Можно просмотреть журналы и определить метку времени запроса и правила, которые обусловили блокировку или пропуск трафика.
В следующем примере можно увидеть, как во время одного запроса активируются четыре правила (с помощью поля транзакции). Первое правило срабатывает, так как в запросе использовался числовой или IP-адрес URL, что увеличивает показатель аномалии на три, поскольку соответствует уровню предупреждения. Следующее сработавшее правило — 942130 (его нужно было найти). В поле details.data можно увидеть 1=1. Это увеличивает показатель аномалии еще на три, поскольку также соответствует уровню предупреждения. Вообще каждое правило с действием Соответствие (т. е. сработавшее правило) увеличивает показатель аномалии, и на этом этапе данный показатель был бы равен шести. Дополнительные сведения см. в статье Режим оценки аномалий.
Последние две записи журнала показывают, что запрос был заблокирован, так как показатель аномалии оказался достаточно высоким. Эти записи имеют другое, отличное от первых других действие. Для них указано, что они фактически блокировали запрос. Эти правила являются обязательными не могут быть отключены. Их следует рассматривать не как правила, а скорее как элементы базовой внутренней инфраструктуры WAF.
Replies (3)
Thank you for posting your query in Microsoft Community Forums.
Based on the issue description, it appears that you are getting an error “An attack was detected, originating from your system. Please contact the system administrator” while trying to open a website.
I would appreciate it if you could answer the following questions to assist you better:
1. Which security software is installed on the computer?
2. Is it updated with latest virus and spyware definitions?
3. Is the issue confined to a specific website?
4. What do you mean by “The error appears in all browsers” and “In all other PC the website opens properly”?
5. Were there any recent changes made on the computer prior to the issue?
Here are few troubleshooting methods that you may try in order to fix this issue.
Method 1: Restart computer in Safe Mode with networking enabled.
a. Restart your computer.
b. When you see the computer manufacturer's logo, press and hold the F8 key.
c. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
d. Log on to your computer with a user account that has administrator rights.
Note: Safe mode helps you diagnose problems.
Run full scan using the security software installed on the computer.
You may also try to run the Microsoft Safety Scanner in safe mode with networking.
a. Go to the Microsoft Safety Scanner webpage to download the scanner.
b. Click Download Now, and then follow the instructions on the screen.
Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.
Note: Any data files that are infected may only be cleaned by deleting the file entirely, which means there is a potential for data loss.
Disclaimer: The Reset Internet Explorer Settings feature might reset security settings or privacy settings that you added to the list of Trusted Sites. The Reset Internet Explorer Settings feature might also reset parental control settings. We recommend that you note these sites before you use the Reset Internet Explorer Settings feature.
If you are unable to access specific websites, refer to the link.
Cannot access some websites in Internet Explorer
If the issue persists, please provide us with the above information. We will be glad to help you further.
Существует несколько мер, которые можно принять, если запросы, которые должны пройти через брандмауэр веб-приложения (WAF), блокируются.
Сначала ознакомьтесь с документами, в которых содержатся общие сведения о WAF и описание конфигурации WAF. Кроме того, включите мониторинг WAF. В этих статьях объясняется, как работают функции и наборы правил WAF, а также, как получить доступ к журналам WAF.
Стандартные наборы правил OWASP являются очень строгими, и их необходимо настраивать в соответствии с конкретными потребностями приложения или организации, использующей WAF. Совершенно нормальным (и в большинстве случаев ожидаемым) явлением является настройка исключений из правил, создание настраиваемых правил и даже отключение тех правил, которые могут приводить к проблемам и ложноположительным результатам. Политики для конкретного сайта и URI позволяют применять такие изменения только к определенным сайтам или URI, поэтому они не должны затрагивать другие сайты, где соответствующих проблем нет.
Ограничение глобальных параметров для исключения ложноположительных результатов
Отключение проверки текста запроса
Если для параметра Проверять текст запроса установить значение "Выкл.", текст запросов всего трафика не будет оцениваться вашим WAF. Это может быть полезно, если известно, что текст запросов не является вредоносным для приложения.
Если отключить этот параметр, проверка не будет применятся только к тексту запросов. Заголовки и файлы cookie по-прежнему проверяются, если только отдельные объекты не исключены с помощью списков исключений.
Ограничения размера файла
Ограничив размер файла в WAF, вы ограничиваете возможность атаки на веб-серверы. Когда разрешена загрузка больших файлов, риск перегрузки серверной части увеличивается. Ограничение размера файла значением, типовым для сценария использования вашего приложения, — один из способов предотвращения атак.
Если вы уверены, что приложение никогда не потребует передачи файлов размер которых превышает заданный, вы можете ограничить этот размер, установив лимит.
Поиск имен атрибутов запроса
С помощью средства Fiddler можно проверить отдельные запросы и определить, какие именно поля веб-страницы вызываются. Это позволяет исключить определенные поля из области проверки с помощью списков исключений.
В этом примере можно увидеть, что поле, в котором была введена строка 1=1, называется text1.
Это поле можно исключить. Чтобы узнать больше о списках исключений, ознакомьтесь со списками исключений брандмауэра веб-приложения. Вы можете исключить оценку в этом случае, настроив приведенные ниже исключения.
Вы можете также просмотреть журналы брандмауэра, чтобы понять, что нужно добавить в список исключений. Сведения о том, как включить ведение журнала, см. в статье о работоспособности серверной части, журналах ресурсов и метриках для шлюза приложений.
Просмотрите журнал брандмауэра в файле PT1H.json за час, в течение которого был отправлен запрос, который требуется проверить.
В этом примере можно увидеть четыре правила с одинаковым идентификатором транзакции, которые сработали в одно и то же время:
Зная, как работают наборы правил CRS, и что набор правил CRS 3.0 работает с системой оценки аномалий (см. статью Брандмауэр веб-приложений для шлюза приложений Azure), вы понимаете, что два нижних правила со свойством action: Blocked блокируют трафик на основе общей оценки аномалий. Правила, на которые следует обратить внимание, являются двумя верхними.
Первая запись заносится в журнал, так как пользователь перешел к шлюзу приложений по числовому IP-адресу, что в данном случае можно игнорировать.
Второе правило (942130) является более интересным. В подробностях можно увидеть, что это правило выявило шаблон (1=1) в поле text1. Повторите выполненные ранее действия, чтобы исключить имя атрибута запроса, равное1=1.
Your system is running an ips attack.
Blocked because of IPS attack
An attack was detected, originating from your system. Please contact the system administrator.
This message was given during a login to a local wifi. I was denied then several times to login. I did run with chkhunter and he gave me just this line of suspicious outcome:
Which did not really help me. Since I have the feeling that the system behaves oddly, I do run now a scan with ClamAV and will probably reinstall to be sure. This happend after a third person had physical access to the PC by plugging an external USB HDD to my machine. He then stated (and this of course I could not know) that his PC (Windows) has no Antivirus (because it always nag him for being full of virus - what a logic. ) and his hdd was full of exe files he did not know of. I did not pay too much attention but this ips warning today did ring quite more then a bell. File permissions where on secure, the whole machine updated and no file was opened. So if I have any problem it must be (obligatorily) an exploit using the USB function. Yast showed malfunctioning thereafter and also strangely enough calling yast on a console. opened firefox. Curious.
Anyway, I wanted to know if I have full paranoia (and there is a known problem with server software stating that you are running IPS attacks or if this seems to be a real problem.
Posted it here, because, since the problem is absolutely exotic on a laptop machine, we do not have a group to host this request.
Logging in on the same network this afternoon does not give he error any more.
On 2010-10-01 14:36, stakanov wrote:
>
>> Blocked because of IPS attack
>>
>>
>> An attack was detected, originating from your system. Please contact
>> the system administrator.
>
> This message was given during a login to a local wifi. I was denied
> then several times to login.
I do not understand that message; and as you mention you had no problem to connect today, it was
probably false.
You should contact the administrator of that system and ask him to specify what attack exactly he
was referring to.
I searched for "IPS attack" in the wikipedia, and found none. IPS stands for "Intrusion-prevention
systems", it is not an attack.
IPS is the system that server uses to detect attacks from others - but they have to tell you what
attack it was.
While searching for this in google, I just accidentally went to a page that claimed to be scanning
my system for viruses, and finding them, in C - which I don't have. It is obviously faking it all.
It claims to have found viruses, and triggers download and open of a "packupdate107_2204.exe" -
which I'm sure it is a trojan, but clamav does not detect it. Antivir does (TR/Dropper.Gen).
> Which did not really help me. Since I have the feeling that the system
> behaves oddly, I do run now a scan with ClamAV and will probably
> reinstall to be sure.
Don't reinstall.
> This happend after a third person had physical
> access to the PC by plugging an external USB HDD to my machine. He then
> stated (and this of course I could not know) that his PC (Windows) has
> no Antivirus (because it always nag him for being full of virus - what a
> logic. ) and his hdd was full of exe files he did not know of.
Notice that "exes" can not run in linux, even if you "open" them.
I have a directory with some viruses. I "open" them with ease of mind, they are innocuous for me.
They don't "run".
The only way they can harm you is if you intentionally open them with wine, or load them into a
virtual machine with windows.
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)
Wise Penguin
As Carlos has said, it's probably a lame attempt to dupe an unsuspecting windows person into installing a trojan onto their machine. What you got doesn't make sense because the IPS intercepts bad traffic and attempts to remove the harmful part and report the details about the attack to the sys admin. It would not send the offender a message about them sending an IPS attack but may trigger the server to send out a flat Site unavailable or unreachable response
When your up to your a** in Alligators it's pretty hard to remember you intended to drain the swamp (author unknown)
Wise Penguin
A lot of IPS systems report false-positive. So, don't worry.
Also, I am pretty much sure that a Windoze machine can not inject a virus into your machine via a USB stick.
openSUSE 12.3 (x86_64) with Kernel 3.7.10-1.16-desktop and KDE 4.11.2 on MacBook Pro
Latest MS Windows version used: Win95
Wise Penguin
Hello everybody and thanks to all.
I was somehow worried because the system behaved oddly afterwards. Still it is true that I do not know of a usb-wise attacks. I will however change to a policy to do exchanges of files only over the internet with my productive machine. I do somehow not trust the usb-port (on my machine is still running HAL and I do not know how maintained it is).
@Carlos: kind of you to remind me, in fact I always state that there is no need for a antivirus (as there is only a very few malware implementations around). However, I have to admitt to my dismay that I have sometimes to do with very creepy people trying to do me some "surprise" to say the minor. And they do not have written on their front: "I am one of the bad boys". So I was worried of something quite "personalized".
Besides: does anybody know the function of this line?
chkrootkithunter complained about it and asked I shall look after. With other words it did not expect to find that line of code. Apparently it is a root process, running with autorisation running on tcp? I would just like to understand the procedure that it is running and why. I did not even know that I have configured tty7.
Wise Penguin
Originally Posted by stakanov
openSUSE 12.3 (x86_64) with Kernel 3.7.10-1.16-desktop and KDE 4.11.2 on MacBook Pro
Latest MS Windows version used: Win95
Flux Capacitor Penguin
stakanov wrote:
> Still it is true that I do not know of a usb-wise attacks.
attacking via removable devices is old as the hills. back in the
early 90's the easiest way to get infected was to insert an infected
floppy and bingo, your machine was infected and it would infect
_every_ floppy inserted (that was not write protected)..
and, the latest cyber warfare virus was created to infect via USB, see:
that it targeted Windows machines is known. but, with some thinking i
don't see why it couldn't be an attack vector for the unsuspecting
Linux user. just package some evil in an RPM, give'em a USB key and
tell'em install the new game/application/etc with YaST. bingo!
On 2010-10-02 13:06, stakanov wrote:
>
> Hello everybody and thanks to all.
> I was somehow worried because the system behaved oddly afterwards.
> Still it is true that I do not know of a usb-wise attacks. I will
> however change to a policy to do exchanges of files only over the
> internet with my productive machine. I do somehow not trust the usb-port
> (on my machine is still running HAL and I do not know how maintained it
> is).
HAL is not a problem. The content on the disk, might. Just make sure that the desktop is set to
mount the device, open it in a file browser, but not open files by default. Even less try to run files.
If the computer behaves oddly, then investigate.
Actually, I would trust more a usb disk than an internet connection. Even if it comes from a
doubtful source.
> @Carlos: kind of you to remind me, in fact I always state that there is
> no need for a antivirus (as there is only a very few malware
> implementations around). However, I have to admitt to my dismay that I
> have sometimes to do with very creepy people trying to do me some
> "surprise" to say the minor. And they do not have written on their
> front: "I am one of the bad boys". So I was worried of something quite
> "personalized".
Personalized malware can be a real danger. If you are the target of such things. uff :-(
> Besides: does anybody know the function of this line?
>
> Code:
> --------------------
> ! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa
> --------------------
>
>
> chkrootkithunter complained about it and asked I shall look after. With
> other words it did not expect to find that line of code. Apparently it
> is a root process, running with autorisation running on tcp? I would
> just like to understand the procedure that it is running and why. I did
> not even know that I have configured tty7.
I don't have it. I have the directory, not the file (11.2, gnome). I think that file could
appear/disappear on circumstances.
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)
On 2010-10-02 14:46, DenverD wrote:
> stakanov wrote:
>> Still it is true that I do not know of a usb-wise attacks.
>
> attacking via removable devices is old as the hills. back in the
> early 90's the easiest way to get infected was to insert an infected
> floppy and bingo, your machine was infected and it would infect
> _every_ floppy inserted (that was not write protected)..
You had to reboot the computer with that floppy inside, and you had to have "boot from floppy"
active in the computer. That applies for the boot sector virus, the first one that appeared. I knew
it quite well, I wrote an antivirus for it :-)
For the other type of virus, you needed to run one of the infected programs in the floppy, something
we soon learned not to do. I cleaned one or two of those with my bare hands, I mean, with a debugger
and hex editors.
Those were simple times :-)
Then some people started making a lot of money writing antiviruses. I'll never be a sucesfull
business man. :->
But the basics remains the same: connecting a floppy or an usb hard disk alone is not enough to
contaminate a computer.
That's would be a trojan, not a virus >:-)
] The virus has so far infected computers in Indonesia, India, the United States, Australia,
Britain, Malaysia and Pakistan. The biggest target, however, has been Iran and some believe the
virus was designed to attack Iran's nuclear facilities.
]
] The malware spreads via infected USB thumb drive memory sticks, exploiting vulnerabilities in the
Microsoft Windows operating system.
I assume windows loads it automatically and runs something on it, automatically as well. Cute.
]
] The super-virus attacks software programs that run on Supervisory Control and Data Acquisition, or
SCADA, systems, a product developed by Siemens and sold around the world, including to Iran. SCADA
is used to manage water supplies, oil rigs, power plants and other industrial facilities.
That's a targeted malware. I don't think scada was designed for security. I worked for a small
business that did control things, and we did not design for security. Our gadgets were not
networked, we used isolated computers. Now everything is networked. and that's a huge danger.
By the way, the first virus, "la pelotita", the bouncing ball, was said to be created as an
antitheft measure, for people that stole certain game copying it (pirating).
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)
I have reset the internet explorer settings and I restarted the PC. But I still getting same message.
In all other PC the website opens properly. How can I solve it?
This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread.
Report abuse
Harassment is any behavior intended to disturb or upset a person or group of people. Threats include any threat of suicide, violence, or harm to another. Any content of an adult theme or inappropriate to a community web site. Any image, link, or discussion of nudity. Any behavior that is insulting, rude, vulgar, desecrating, or showing disrespect. Any behavior that appears to violate End user license agreements, including providing product keys or links to pirated software. Unsolicited bulk mail or bulk advertising. Any link to or advocacy of virus, spyware, malware, or phishing sites. Any other inappropriate content or behavior as defined by the Terms of Use or Code of Conduct. Any image, link, or discussion related to child pornography, child nudity, or other child abuse or exploitation.
Метрики брандмауэра (только WAF_v1)
Для брандмауэров веб-приложений версии v1 на портале теперь доступны следующие метрики:
- Счетчик запросов, заблокированных Брандмауэром веб-приложений,— количество заблокированных запросов
- Счетчик правил, заблокированных Брандмауэром веб-приложений, — все правила, для которых было найдено соответствие и заблокирован запрос
- Общее распределение правил Брандмауэра веб-приложений — все правила, для которых было найдено соответствие во время проверки
Чтобы включить метрики, выберите на портале вкладку Метрики, а затем — одну из трех метрик.
So all the sudden I cannot access the internet. I get the following message:
Blocked because of IPS attack
An attack was detected, originating from your system. Please contact the system administrator.
See attached screenshot.
Tried searching online but didnt find any clear information on how to fix this.
Anyone have any ideas where to start?
Thanks in advance,
iMac Line (2012 and Later)
Posted on Aug 22, 2019 9:37 AM
Читайте также: