Knowledge Partner
Knowledge Partner
320 views

SpyEye_botnet errors in log

Hello

I'm seeing alot of errors like this in the log:
Any idea how to solve this?


Sentinel info:

Version: 7.4.1.0_2512

Date: 2016-02-23




Log:


2016/04/15 10:54:03 | INFO | jvm 1 | Fri Apr 15 10:54:03 CEST
2016|SEVERE|TimerThreadPool
pool|esecurity.base.util.logging.UnexpectedExceptionHandler.handle
2016/04/15 10:54:03 | INFO | jvm 1 | An unexpected exception
occurred while setting attributes in map row data object for map
SpyEye_Botnet (ID E2551D00-1F35-1033-A4CD-005056A0A6F8)..
2016/04/15 10:54:03 | INFO | jvm 1 |
java.lang.NumberFormatException: For input string: "initial-scale=1" />"
2016/04/15 10:54:03 | INFO | jvm 1 | at
sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:2043)
2016/04/15 10:54:03 | INFO | jvm 1 | at
sun.misc.FloatingDecimal.parseDouble(FloatingDecimal.java:110)
2016/04/15 10:54:03 | INFO | jvm 1 | at
java.lang.Double.parseDouble(Double.java:538)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.datamodel.attribute.EsecLong.setValue(EsecLong.java:254)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.metadata.AttributeMD.createTruncatedValue(AttributeMD.java:972)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.metadata.AttributeMD.createValue(AttributeMD.java:958)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.metadata.AttributeMD.createValue(AttributeMD.java:952)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.datamodel.BaseAttributeObject.setAttribute(BaseAttributeObject.java:395)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.getMapDataRowDO(DelimitedSourceMapGenerator.java:428)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.populateMapRows(DelimitedSourceMapGenerator.java:288)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.generate(DelimitedSourceMapGenerator.java:132)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.generate(DelimitedSourceMapGenerator.java:74)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.list.CListUpdater$Updater.readData(CListUpdater.java:329)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.list.CListUpdater$Updater.access$500(CListUpdater.java:223)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.ccs.comp.list.CListUpdater$Updater$AbstractTask.run(CListUpdater.java:392)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.ccs.comp.timer.TimerServiceImpl$TimerRequest$1.run(TimerServiceImpl.java:177)
2016/04/15 10:54:03 | INFO | jvm 1 | at
esecurity.base.ccs.comp.threadpool.TaskThreadPool$RunWrapper.run(TaskThreadPool.java:164)
2016/04/15 10:54:03 | INFO | jvm 1 | at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
2016/04/15 10:54:03 | INFO | jvm 1 | at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
2016/04/15 10:54:03 | INFO | jvm 1 | at
java.lang.Thread.run(Thread.java:745)

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SpyEye_botnet errors in log

from
https://www.netiq.com/documentation/sentinel-73/s7301_release_notes/data/s7301_release_notes.html#b1ef780s

SpyEye Tracker Feeds Have Been Discontinued By Its Provider

Issue: The data provider for the SpyEye Tracker feed has discontinued
updates to this feed, stating that the SpyEye threat appears to be
mitigated. This feed plug-in is still bundled in Sentinel. Since the
data provider no longer supplies valid threat feeds, the feed plug-in
populates the dynamic lists with unexpected data, and related
correlation rules do not work properly. The Feeds user interface only
indicates that data was processed successfully, but does not indicate
that the data is invalid. (BUG 916560).

Workaround: The SpyEye Tracker plug-in does not cause any issues to your
server, but you can conserve system resources by removing this feed
plug-in and its related Sentinel objects: dynamic list and correlation
rules.

Uninstall the SpyEye Botnet component in the Solution Packs Manager.
This will remove the associated dynamic lists, correlation rules, and
the feed plug-in. However, if the feed plug-in was scheduled or run
previously, you cannot remove the feed plug-in. Instead, you can set the
schedule to update feeds to Never. For more information about removing
SpyEye Botnet component in the Solution Packs Manager, see the Threat
Intelligence Solution Pack documentation on the Sentinel Plug-ins Web site.

Norbert

On 15.04.2016 10:55, alekz wrote:
> Hello
>
> I'm seeing alot of errors like this in the log:
> Any idea how to solve this?
>
>
> Sentinel info:
>
> Version: 7.4.1.0_2512
>
> Date: 2016-02-23
>
>
>
>
> Log:
>
>
> 2016/04/15 10:54:03 | INFO | jvm 1 | Fri Apr 15 10:54:03 CEST
> 2016|SEVERE|TimerThreadPool
> pool|esecurity.base.util.logging.UnexpectedExceptionHandler.handle
> 2016/04/15 10:54:03 | INFO | jvm 1 | An unexpected exception
> occurred while setting attributes in map row data object for map
> SpyEye_Botnet (ID E2551D00-1F35-1033-A4CD-005056A0A6F8)..
> 2016/04/15 10:54:03 | INFO | jvm 1 |
> java.lang.NumberFormatException: For input string: "initial-scale=1" />"
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:2043)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> sun.misc.FloatingDecimal.parseDouble(FloatingDecimal.java:110)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> java.lang.Double.parseDouble(Double.java:538)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.datamodel.attribute.EsecLong.setValue(EsecLong.java:254)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.metadata.AttributeMD.createTruncatedValue(AttributeMD.java:972)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.metadata.AttributeMD.createValue(AttributeMD.java:958)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.metadata.AttributeMD.createValue(AttributeMD.java:952)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.datamodel.BaseAttributeObject.setAttribute(BaseAttributeObject.java:395)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.getMapDataRowDO(DelimitedSourceMapGenerator.java:428)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.populateMapRows(DelimitedSourceMapGenerator.java:288)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.generate(DelimitedSourceMapGenerator.java:132)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.mapengine.map.DelimitedSourceMapGenerator.generate(DelimitedSourceMapGenerator.java:74)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.list.CListUpdater$Updater.readData(CListUpdater.java:329)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.list.CListUpdater$Updater.access$500(CListUpdater.java:223)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.ccs.comp.list.CListUpdater$Updater$AbstractTask.run(CListUpdater.java:392)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.ccs.comp.timer.TimerServiceImpl$TimerRequest$1.run(TimerServiceImpl.java:177)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> esecurity.base.ccs.comp.threadpool.TaskThreadPool$RunWrapper.run(TaskThreadPool.java:164)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 2016/04/15 10:54:03 | INFO | jvm 1 | at
> java.lang.Thread.run(Thread.java:745)
>



--
Norbert
0 Likes
rmjan79 Absent Member.
Absent Member.

Re: SpyEye_botnet errors in log

I thought that the SpyEye Botnet component was uninstalled by updating the Threat Intelligence Solution Pack from Version 2011.1r1 to 2011.1r2:

Link: https://www.netiq.com/support/sentinel/plugins/prod/solutions/Threat-Intelligence_2011.1r2.html#ReleaseNotes_section

Release Notes: 2011.1r2

- Converted the documentation to HTML
- Removed SpyEye Tracker feed and related control from Solution Pack. (Bug# 924040)
- Modified Palevo Tracker and ZeuS Tracker feed plug-ins to validate the Web URL's provided. (Bug# 922553)

But the "Plug-ins" Page still shows the "SpyEye Tracker" under the "Feed" Section ...

Is that a bug of the Threat Intelligence Solution Pack?

Jan
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: SpyEye_botnet errors in log

I noticed similar behaviour, but after a restart of the service it eventually cleaned itself up....

Visit my Website for links to Cool Solution articles.
0 Likes
rmjan79 Absent Member.
Absent Member.

Re: SpyEye_botnet errors in log

ScorpionSting;2426252 wrote:
I noticed similar behaviour, but after a restart of the service it eventually cleaned itself up....


Which service do you mean? Sentinel or an other component? I've rebootet the whole server, the "SpyEye Tracker Feed" is still under the "Feed" Section of the "Plug-ins" page.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.