Active Perl Overflow Attack - Tilted Forum Project Discussion Community

MahlerIsGod · 05-08-2004, 10:05 PM

I had an Active Perl Overflow Attack tonight (my firewall caught it). I tried to find out what this is on the net but all I could find was very, very technical jargon about it. Can someone please tell me what it is and why I get them in as non-technical manner as possible? Thanks

HarmlessRabbit · 05-09-2004, 12:07 AM

probably you mean Active State PERL overflow. Activestate is the commercial company that does a lot of the Perl maintenance and such.

Basically, here's what is happening. Someone is trying to scan your machine to see if it is vulnerable to a particular attack. So, they are hitting your webserver with a request that, if successful, might crash your machine, implant a virus, or do any other manner of thing.

A buffer overflow happens when a programmer improperly allocates too little space for a variable. So, the programmer allocated 100k for a variable but loaded that variable with 128k of data. This is a very easy error to make, a simple typo, incorrect conversion from hex to decimal, or other mistakes can cause it.

Once a smart hacker finds one of these variables, they can now, in the above example, load an arbitrary 28k of data into memory and execute it. This program can do anything the hacker is creative enough to make it do.

Now, for you, if your firewall is catching it, don't worry. You might want to look up and see if your version of perl is patched for whatever exploit it is trying to use. Reporting the IP to the attackers ISP is probably useless, as the source machine is probably a machine infected with a virus or trojan.

Bottom line: check for perl updates. If you are patched, no worries.

MahlerIsGod · 05-09-2004, 12:14 PM

I have a Norton Firewall that came with the whole package (Norton Internet Security). I have heard that it is not the best but have heard good things about Zone Alarm. My question is this: which is better? A "better" free firewall or a pay (to be read "updatable") firewall? Your thoughts, feelings, suggestions, etc.

Speed_Gibson · 05-09-2004, 02:05 PM

Quote:

A "better" free firewall or a pay (to be read "updatable") firewall?

Kerio 4.x fits both the free and updatable part. There have been at least 4 updates in the past month alone that it automatically fetched after asking me.

MahlerIsGod · 05-09-2004, 08:30 PM

Is it possible to run with two firewalls? Both the Norton and the Zonealarm? I'm I doubly "protected" or simply creating unnecessary conflicts between the two firewalls? Would anyone know? Thanks

Speed_Gibson · 05-09-2004, 08:59 PM

Quote:

Originally posted by MahlerIsGod
Is it possible to run with two firewalls? Both the Norton and the Zonealarm? I'm I doubly "protected" or simply creating unnecessary conflicts between the two firewalls? Would anyone know? Thanks

two software firewalls is a bad idea and waste of resources, assuming it does not crash your system to begin with. Some combinations will crash each other horribly or at the least cause nothing but headaches. Norton and ZA are especially bad for conflicting with others of their kind running simultaneously on the same system.
The best route is to run a dedicated hardware FW first for the outside world; a router or old *nix box is fine for this purpose. The main reason I have software firewalls on my systems is to explicity monitor all attempted outgoing connections; my 3com router does all of the actual port stealthing and firewall duties for inbound traffic.

HarmlessRabbit · 05-09-2004, 10:02 PM

Quote:

Originally posted by MahlerIsGod
Is it possible to run with two firewalls? Both the Norton and the Zonealarm? I'm I doubly "protected" or simply creating unnecessary conflicts between the two firewalls? Would anyone know? Thanks

Just run a personal firewall and put your computer on a unroutable NAT address unless you know you want to run your system as a server.

Running NAT will make your system invisible to almost all attackers. Any good personal firewall will do the rest.

Personally, I think running a home windows machine on an external address is just asking for trouble, unless you really know what you're doing. Many of the new exploits don't even need human intervention (like clicking on an outlook message).

05-08-2004, 10:05 PM	#1 (permalink)
MahlerIsGod At The Globe Showing Will How Its Done Location: London/Elysium	Active Perl Overflow Attack I had an Active Perl Overflow Attack tonight (my firewall caught it). I tried to find out what this is on the net but all I could find was very, very technical jargon about it. Can someone please tell me what it is and why I get them in as non-technical manner as possible? Thanks __________________ "But a work of art is a conscious human effort that has to do with communication. It is that or its nothing. When an accident is applauded as a work of art, when a cult grows up around the deliciousness of inadvertent beauty, we are in the presence of the greatest decadence the West has known in its history."

05-09-2004, 12:14 PM	#3 (permalink)
MahlerIsGod At The Globe Showing Will How Its Done Location: London/Elysium	I have a Norton Firewall that came with the whole package (Norton Internet Security). I have heard that it is not the best but have heard good things about Zone Alarm. My question is this: which is better? A "better" free firewall or a pay (to be read "updatable") firewall? Your thoughts, feelings, suggestions, etc. __________________ "But a work of art is a conscious human effort that has to do with communication. It is that or its nothing. When an accident is applauded as a work of art, when a cult grows up around the deliciousness of inadvertent beauty, we are in the presence of the greatest decadence the West has known in its history."

05-09-2004, 08:30 PM	#5 (permalink)
MahlerIsGod At The Globe Showing Will How Its Done Location: London/Elysium	Is it possible to run with two firewalls? Both the Norton and the Zonealarm? I'm I doubly "protected" or simply creating unnecessary conflicts between the two firewalls? Would anyone know? Thanks __________________ "But a work of art is a conscious human effort that has to do with communication. It is that or its nothing. When an accident is applauded as a work of art, when a cult grows up around the deliciousness of inadvertent beauty, we are in the presence of the greatest decadence the West has known in its history."

05-09-2004, 12:07 AM	#2 (permalink)
HarmlessRabbit Junkie Location: San Jose, CA	probably you mean Active State PERL overflow. Activestate is the commercial company that does a lot of the Perl maintenance and such. Basically, here's what is happening. Someone is trying to scan your machine to see if it is vulnerable to a particular attack. So, they are hitting your webserver with a request that, if successful, might crash your machine, implant a virus, or do any other manner of thing. A buffer overflow happens when a programmer improperly allocates too little space for a variable. So, the programmer allocated 100k for a variable but loaded that variable with 128k of data. This is a very easy error to make, a simple typo, incorrect conversion from hex to decimal, or other mistakes can cause it. Once a smart hacker finds one of these variables, they can now, in the above example, load an arbitrary 28k of data into memory and execute it. This program can do anything the hacker is creative enough to make it do. Now, for you, if your firewall is catching it, don't worry. You might want to look up and see if your version of perl is patched for whatever exploit it is trying to use. Reporting the IP to the attackers ISP is probably useless, as the source machine is probably a machine infected with a virus or trojan. Bottom line: check for perl updates. If you are patched, no worries.