HTTP Zombie Exploit Toolkit Request <SOLVED>

  • Some of the links on this forum allow SMF, at no cost to you, to earn a small commission when you click through and make a purchase. Let me know if you have any questions about this.
SMF is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

o0infidel0o

Fire Starter
Original poster
Jan 2, 2011
40
11
Graham, WA
I started getting these messages from Norton's today. It happens on random pages and on random ports when I visit on this site. The messages haven't appeared until today.

Attacker URL: www.smokingmeatforums.com/p.php?c=[insert random 20-25 upper case and lower case letters here]=

TCP, Port 52648

Severity: High

I am running Windows 7 Professional, Firefox, Norton's Internet Security 2011 with latest updates (as of 45 seconds ago).

Anyone else having this problem...?
 
Just a quick update...I noticed I was getting most of the warnings when I was viewing threads with QView images. Not that it's related, but when I disable all images ( using web developer toolbar), the messages stopped. I'll keep poking around and see if I can come up with anything else. Thanks!
 
And I just got such a warning when I opened your thread into a new tab.  First time I have ever seen it.

Could it be one of the advertisements???
 
If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.
 
Little bit later.

It happened to me every time I opened any thread.  I got the same warning from Norton's.  Norton's claims to have blocked it, but it does seem to be a concern.

Here is info from the warning, typed (Norton would not let me cut&paste):

risk name: HTTP Zombie Exploit Toolkit Request

attacker URL: www.smokingmeatforums.com/p.php?c=<a whole bunch of random letters & numbers>

Destination Address: files.smokingmeatforums.com (67.228.167.131, 80)

Source address: 192.168.2.3  (which is local net number of my computer).

Traffic Description: TCP, port 1981

further descriptions state:

Network traffic from <MY COMPUTER NAME> matches the signature of a known attack.  The attack was resulted from

\DEVICE\HARDDISKVOLUME12\PROGRAM FILES\INTERNET EXPLORER\IEEXPLORE.EXE

Hope that helps the guys figure out what is going on.

<directions on how to turn off notification>
 
Last edited:
I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.

src=p.php?[insert a lot of random letters and numbers here]= -these random numbers seem to change, dependent upon the page I am viewing.--
 
[quote name="bmudd14474" url="/forum/thread/102493/http-zombie-exploit-toolkit-request#post_583028"]
If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.

[/quote]

Thank you...not a big deal, Norton's is blocking it, but just giving you all a heads up. :PDT_Armataz_01_36:
 
i been having the same problem, don't understand whats goin on. if anyone does and how to fix it, that would be great.
 
I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.

src=p.php?[insert a lot of random letters and numbers here]= -these random numbers seem to change, dependent upon the page I am viewing.--
I think o0Infidel0o nailed it, but hopefully Huddler can confirm and correct it.
 
I'm seeing it too, But I'm not as computer literate as some others, so I have just been ignoring it so far. Keep me in the loop if I need to do something about it. Thanks 
 
icon_cool.gif


I was getting the promps also and Norton is blocking it so if someone comes up with as fix let me. Keeping in mind I didn't pass the computers for dummies test.
 
We received information from Huddler that Norton is producing a false positive. Below is information from Norton's site.

Norton Antivirus Users:   Norton released new virus definitions last night and today which are causing users with an updated version of Norton (as of 1/11) to see false positive reports of an intrusion.  We are working to resolve the issue as quickly as possible and have sent the report to Norton.  Please disregard these alerts - we will provide additional information as we have it.  Thank you for your patience!
 
Just a bit more information here.  The issue is caused by the name we use for our "tracking pixel" p.php.  The tracking pixel is used to incrementally add view counts for thread views. 

That said, any website that uses a file called p.php will trigger the exact same alert.  As an example, if you have an updated version of Norton running on your computer, if you go to http://www.facebook.com/p.php, you will see the exact same HTTP Zombie Exploit Toolkit Request alert.  If you do a quick Google search for this URL, it appears to be logged in Google's index as Facebook's sign up page.  While it is a completely different website and a different file, it will result in the same Norton alert.
 
It seems to have stopped at least it has for me
 
Huddler changed the name of the file that Norton was generating the false positive on. Also Norton is scheduled to release a patch for their software today sometime.
 
SmokingMeatForums.com is reader supported and as an Amazon Associate, we may earn commissions from qualifying purchases.

Hot Threads

Clicky