HTTP Zombie Exploit Toolkit Request <SOLVED>

Discussion in 'Bugs, Glitches and Miscellaneous Forum Problems' started by o0infidel0o, Jan 11, 2011.

  1. o0infidel0o

    o0infidel0o Fire Starter

    I started getting these messages from Norton's today. It happens on random pages and on random ports when I visit on this site. The messages haven't appeared until today.

    Attacker URL: www.smokingmeatforums.com/p.php?c=[insert random 20-25 upper case and lower case letters here]=

    TCP, Port 52648

    Severity: High

    I am running Windows 7 Professional, Firefox, Norton's Internet Security 2011 with latest updates (as of 45 seconds ago).

    Anyone else having this problem...?
     
  2. o0infidel0o

    o0infidel0o Fire Starter

    Just a quick update...I noticed I was getting most of the warnings when I was viewing threads with QView images. Not that it's related, but when I disable all images ( using web developer toolbar), the messages stopped. I'll keep poking around and see if I can come up with anything else. Thanks!
     
  3. dale5351

    dale5351 Smoking Fanatic

    And I just got such a warning when I opened your thread into a new tab.  First time I have ever seen it.

    Could it be one of the advertisements???
     
  4. bmudd14474

    bmudd14474 Smoking Guru Staff Member Administrator Group Lead OTBS Member SMF Premier Member

    If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.
     
  5. dale5351

    dale5351 Smoking Fanatic

    Little bit later.

    It happened to me every time I opened any thread.  I got the same warning from Norton's.  Norton's claims to have blocked it, but it does seem to be a concern.

    Here is info from the warning, typed (Norton would not let me cut&paste):

    risk name: HTTP Zombie Exploit Toolkit Request

    attacker URL: www.smokingmeatforums.com/p.php?c=<a whole bunch of random letters & numbers>

    Destination Address: files.smokingmeatforums.com (67.228.167.131, 80)

    Source address: 192.168.2.3  (which is local net number of my computer).

    Traffic Description: TCP, port 1981

    further descriptions state:

    Network traffic from <MY COMPUTER NAME> matches the signature of a known attack.  The attack was resulted from

    \DEVICE\HARDDISKVOLUME12\PROGRAM FILES\INTERNET EXPLORER\IEEXPLORE.EXE

    Hope that helps the guys figure out what is going on.

    <directions on how to turn off notification>
     
    Last edited: Jan 11, 2011
  6. o0infidel0o

    o0infidel0o Fire Starter

    I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.

    src=p.php?[insert a lot of random letters and numbers here]= -these random numbers seem to change, dependent upon the page I am viewing.--
     
  7. o0infidel0o

    o0infidel0o Fire Starter

    [quote name="bmudd14474" url="/forum/thread/102493/http-zombie-exploit-toolkit-request#post_583028"]
    If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.

    [/quote]

    Thank you...not a big deal, Norton's is blocking it, but just giving you all a heads up. :pDT_Armataz_01_36:
     
  8. stocktrader

    stocktrader Newbie

    I have been getting hit by this Zombie Exploit every 20 seconds today { Whats goin on ?}
     
  9. transplant138

    transplant138 Newbie

    i been having the same problem, don't understand whats goin on. if anyone does and how to fix it, that would be great.
     
  10. tigerregis

    tigerregis Meat Mopper

    Same here. Norton is warning me every other minute. First time this has happened to me.
     
  11. jirodriguez

    jirodriguez Master of the Pit OTBS Member SMF Premier Member

    I think o0Infidel0o nailed it, but hopefully Huddler can confirm and correct it.
     
  12. shoneyboy

    shoneyboy Master of the Pit OTBS Member

    I'm seeing it too, But I'm not as computer literate as some others, so I have just been ignoring it so far. Keep me in the loop if I need to do something about it. Thanks 
     
  13. mballi3011

    mballi3011 Smoking Guru OTBS Member SMF Premier Member

    [​IMG]

    I was getting the promps also and Norton is blocking it so if someone comes up with as fix let me. Keeping in mind I didn't pass the computers for dummies test.
     
  14. sqwib

    sqwib Smoking Guru OTBS Member

    Same here

    [​IMG]
     
  15. placebo

    placebo Smoking Fanatic OTBS Member SMF Premier Member

    Last edited: Jan 12, 2011
  16. bmudd14474

    bmudd14474 Smoking Guru Staff Member Administrator Group Lead OTBS Member SMF Premier Member

    We received information from Huddler that Norton is producing a false positive. Below is information from Norton's site.

    Norton Antivirus Users:   Norton released new virus definitions last night and today which are causing users with an updated version of Norton (as of 1/11) to see false positive reports of an intrusion.  We are working to resolve the issue as quickly as possible and have sent the report to Norton.  Please disregard these alerts - we will provide additional information as we have it.  Thank you for your patience!
     
  17. danmcg

    danmcg Master of the Pit OTBS Member SMF Premier Member

    thanks for the heads up Brian
     
  18. bmudd14474

    bmudd14474 Smoking Guru Staff Member Administrator Group Lead OTBS Member SMF Premier Member

    Just a bit more information here.  The issue is caused by the name we use for our "tracking pixel" p.php.  The tracking pixel is used to incrementally add view counts for thread views. 

    That said, any website that uses a file called p.php will trigger the exact same alert.  As an example, if you have an updated version of Norton running on your computer, if you go to http://www.facebook.com/p.php, you will see the exact same HTTP Zombie Exploit Toolkit Request alert.  If you do a quick Google search for this URL, it appears to be logged in Google's index as Facebook's sign up page.  While it is a completely different website and a different file, it will result in the same Norton alert.
     
  19. pineywoods

    pineywoods Smoking Guru Staff Member Administrator Group Lead SMF Premier Member

    It seems to have stopped at least it has for me
     
  20. bmudd14474

    bmudd14474 Smoking Guru Staff Member Administrator Group Lead OTBS Member SMF Premier Member

    Huddler changed the name of the file that Norton was generating the false positive on. Also Norton is scheduled to release a patch for their software today sometime.
     

Share This Page