• Some of the links on this forum allow SMF, at no cost to you, to earn a small commission when you click through and make a purchase. Let me know if you have any questions about this.

HTTP Zombie Exploit Toolkit Request <SOLVED>

o0infidel0o

Fire Starter
40
11
Joined Jan 2, 2011
I started getting these messages from Norton's today. It happens on random pages and on random ports when I visit on this site. The messages haven't appeared until today.

Attacker URL: www.smokingmeatforums.com/p.php?c=[insert random 20-25 upper case and lower case letters here]=

TCP, Port 52648

Severity: High

I am running Windows 7 Professional, Firefox, Norton's Internet Security 2011 with latest updates (as of 45 seconds ago).

Anyone else having this problem...?
 

o0infidel0o

Fire Starter
40
11
Joined Jan 2, 2011
Just a quick update...I noticed I was getting most of the warnings when I was viewing threads with QView images. Not that it's related, but when I disable all images ( using web developer toolbar), the messages stopped. I'll keep poking around and see if I can come up with anything else. Thanks!
 

dale5351

Smoking Fanatic
456
14
Joined Jun 20, 2010
And I just got such a warning when I opened your thread into a new tab.  First time I have ever seen it.

Could it be one of the advertisements???
 

bmudd14474

Legendary Pitmaster
Staff member
Administrator
Moderator
OTBS Member
★ Lifetime Premier ★
Group Lead
8,762
1,289
Joined Jun 1, 2008
If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.
 

dale5351

Smoking Fanatic
456
14
Joined Jun 20, 2010
Little bit later.

It happened to me every time I opened any thread.  I got the same warning from Norton's.  Norton's claims to have blocked it, but it does seem to be a concern.

Here is info from the warning, typed (Norton would not let me cut&paste):

risk name: HTTP Zombie Exploit Toolkit Request

attacker URL: www.smokingmeatforums.com/p.php?c=<a whole bunch of random letters & numbers>

Destination Address: files.smokingmeatforums.com (67.228.167.131, 80)

Source address: 192.168.2.3  (which is local net number of my computer).

Traffic Description: TCP, port 1981

further descriptions state:

Network traffic from <MY COMPUTER NAME> matches the signature of a known attack.  The attack was resulted from

\DEVICE\HARDDISKVOLUME12\PROGRAM FILES\INTERNET EXPLORER\IEEXPLORE.EXE

Hope that helps the guys figure out what is going on.

<directions on how to turn off notification>
 
Last edited:

o0infidel0o

Fire Starter
40
11
Joined Jan 2, 2011
I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.

src=p.php?[insert a lot of random letters and numbers here]= -these random numbers seem to change, dependent upon the page I am viewing.--
 

o0infidel0o

Fire Starter
40
11
Joined Jan 2, 2011
[quote name="bmudd14474" url="/forum/thread/102493/http-zombie-exploit-toolkit-request#post_583028"]
If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.

[/quote]

Thank you...not a big deal, Norton's is blocking it, but just giving you all a heads up. :PDT_Armataz_01_36:
 

transplant138

Newbie
1
10
Joined Jan 12, 2011
i been having the same problem, don't understand whats goin on. if anyone does and how to fix it, that would be great.
 

tigerregis

Meat Mopper
188
12
Joined Oct 29, 2009
Same here. Norton is warning me every other minute. First time this has happened to me.
 

jirodriguez

Master of the Pit
OTBS Member
SMF Premier Member
4,653
138
Joined Jun 5, 2009
I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.

src=p.php?[insert a lot of random letters and numbers here]= -these random numbers seem to change, dependent upon the page I am viewing.--
I think o0Infidel0o nailed it, but hopefully Huddler can confirm and correct it.
 

shoneyboy

Master of the Pit
OTBS Member
1,895
55
Joined Nov 3, 2010
I'm seeing it too, But I'm not as computer literate as some others, so I have just been ignoring it so far. Keep me in the loop if I need to do something about it. Thanks 
 

mballi3011

Epic Pitmaster
OTBS Member
SMF Premier Member
14,478
55
Joined Mar 12, 2009


I was getting the promps also and Norton is blocking it so if someone comes up with as fix let me. Keeping in mind I didn't pass the computers for dummies test.
 

bmudd14474

Legendary Pitmaster
Staff member
Administrator
Moderator
OTBS Member
★ Lifetime Premier ★
Group Lead
8,762
1,289
Joined Jun 1, 2008
We received information from Huddler that Norton is producing a false positive. Below is information from Norton's site.

Norton Antivirus Users:   Norton released new virus definitions last night and today which are causing users with an updated version of Norton (as of 1/11) to see false positive reports of an intrusion.  We are working to resolve the issue as quickly as possible and have sent the report to Norton.  Please disregard these alerts - we will provide additional information as we have it.  Thank you for your patience!
 

bmudd14474

Legendary Pitmaster
Staff member
Administrator
Moderator
OTBS Member
★ Lifetime Premier ★
Group Lead
8,762
1,289
Joined Jun 1, 2008
Just a bit more information here.  The issue is caused by the name we use for our "tracking pixel" p.php.  The tracking pixel is used to incrementally add view counts for thread views. 

That said, any website that uses a file called p.php will trigger the exact same alert.  As an example, if you have an updated version of Norton running on your computer, if you go to http://www.facebook.com/p.php, you will see the exact same HTTP Zombie Exploit Toolkit Request alert.  If you do a quick Google search for this URL, it appears to be logged in Google's index as Facebook's sign up page.  While it is a completely different website and a different file, it will result in the same Norton alert.
 

pineywoods

SMF Hall of Fame Pitmaster
Staff member
Administrator
OTBS Member
SMF Premier Member
OTBS Admin
Group Lead
26,663
888
Joined Mar 22, 2008
It seems to have stopped at least it has for me
 

bmudd14474

Legendary Pitmaster
Staff member
Administrator
Moderator
OTBS Member
★ Lifetime Premier ★
Group Lead
8,762
1,289
Joined Jun 1, 2008
Huddler changed the name of the file that Norton was generating the false positive on. Also Norton is scheduled to release a patch for their software today sometime.
 

Latest posts

Hot Threads

Top Bottom
  AdBlock Detected

We noticed that you're using an ad-blocker, which could block some critical website features. For the best possible site experience please take a moment to disable your AdBlocker.