On Feb 20th 2015 Norton Anti-Virus live update was rolled out with a bug that has made Internet Explorer unusable for millions of users. Other browsers such as Chrome and FireFox seem to be unaffected and unless you already had one these alternatives installed it would be hard to find out any details on what is going on. How else do you download an alternative browser when your only browser doesn’t work?
The common error dump for this bug is:
Faulting Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Problem Event Name: BEX
Application Name: IEXPLORE.EXE
Application Version: 11.0.9600.17631
Application Timestamp: 54b31a70
Fault Module Name: IPSEng32.dll
Fault Module Version: 220.127.116.11
Fault Module Timestamp: 54c8223b
Exception Offset: 000c61e2
Exception Code: c0000417
Exception Data: 00000000
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 4105
Additional Information 1: 4f07
Additional Information 2: 4f072c04aa91eb87d88d7dd565652530
Additional Information 3: a15b
Additional Information 4: a15b24e56acca2f6a7c59c85b7f20aea
The file reported to be causing the error is the DLL file IPSEng32.dll part of Norton’s Identity Safe (NIS) however just turning that protection method off or uninstalling NIS does not fix the problem. The only current solution I have found is to actually fully remove the Norton product entirely.
After nearly 24 hours Norton still has yet to release a patch to fix this problem.
The community forums regarding the bug are going crazy starting with this thread Tonight’s update crashing IE11 started by Sunfox.
Brute force cracking Word Press sites admin login is rampant because it is very easy. Word Press doesn’t offer much in the way of the way helping protect your blog from such attacks. Brute force attacks is a method of trying to guess the password either systematically or via a common password dictionary list. One of the easiest ways to deter would be hackers is to add a second layer of password authentication to the administration area. Using htaccess rules to require a password before getting to the WP admin password will thwart nearly all the cracking bots out there. Just be sure you make the new htaccess login user name and password completely different than the one used by WP.
To setup htaccess password protection for your Word Press admin area you need to first create a text document called .htpasswd. You can either use the linux shell htpasswd or the online tool HTPasswd Generator. Once you created this file save it or upload it to your wp-admin directory. (It needs to have the period at the front of the file—the period hides the file from view and access by direct web access on the linux apache system.)
Next you need to edit or create a file in your wp-admin directory called .htaccess it should look like so:
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthUserFile "/home/your site/www/wp-admin/.htpasswd"
In the line that starts with AuthUserFile you will need to adjust the path to where the .htpasswd file you will create will be located. In most linux servers the path needs to be absolute, so it has to start at /home or whatever the start is, you can’t just go AuthUserFile .htpasswd (On most servers.)
Now when you access your wp-admin page you will get an htaccess popup window requiring the user name and password from the .htpasswd file first before you can access the Word Press login.
Every server connected to the internet is constantly being attacked with brute force login attempts, software exploits, email spam and more. It is the dirty laundry all IT Security or anyone who manages there own website or server knows. With the extent of dark nets, bot nets and abused proxies this activity runs amuck and pretty much unstoppable. The only thing we can really do is just make sure our software is up to date and passwords are strong.
Just the other day one of my reseller hosting servers located in Germany was terminated and another at Hostgator was suspended. I was told that my wordpress sites were using too much CPU from the server. Looking at the log snapshot sent by Hostgator indicated that all of the usage came from the wp-admin.php script. Was this not obvious to them? Someone was trying to brute force open the wordpress admin. After informing Hostgator that this was not my fault unless they didn’t think I should be using the most popular blog software they were quick to start blocking IP’s coming in. The German company (who I won’t name) said this was beyond the capabilities and that there policy was to take down any website that gets attacked…WTF? Ya I will be ditching them next week, any policy like that which penalizes the website owner for an attack rather than simply blocking the attacking IP’s is bullshit.
The German company told me as did Hostgator the attacks were all coming from China and the Ukraine. On my own managed dedicated boxes I have blocked these countries completely, along with other countries that have originated some scams and abuse such as Nigeria.
If you manage a linux server this is really easy here is how you can block nearly all the traffic from specific countries from coming into your website.
First get and install Advanced Policy Firewall (APF) https://www.rfxn.com/projects/advanced-policy-firewall/
Once you have that installed and configured properly according to the documentation login to your shell and find the apf folder usually at /etc/apf and edit the file deny_hosts.rules
Goto wizcrafts.net and find the APF IP lists for the desired countries. Here is some quick links
South America: http://www.wizcrafts.net/lacnic-iptables-blocklist.html
Other Exploited Networks: http://www.wizcrafts.net/exploited-servers-iptables-blocklist.html
Copy and paste these lists into the deny_hosts.rules and then save it.
Restart APF by #apf –r
If you find other IP’s in your logs that you want to block you can just edit this file and add those IP numbers to the list and restart APF.
These lists of IP’s change regularly so you may want to once a month go back and update it.
If your internet business for your server has nothing to do with these other countries there is no real reason not to block them using this or another method.
If you have an IP# and your not sure what country it is originating from, use http://www.infosniper.net/ to look it up.
About Charles Hays