# HTTP Zombie Exploit Toolkit Request <SOLVED>



## o0infidel0o

I started getting these messages from Norton's today. It happens on random pages and on random ports when I visit on this site. The messages haven't appeared until today.

Attacker URL: www.smokingmeatforums.com/p.php?c=[insert random 20-25 upper case and lower case letters here]=

TCP, Port 52648

Severity: High

I am running Windows 7 Professional, Firefox, Norton's Internet Security 2011 with latest updates (as of 45 seconds ago).

Anyone else having this problem...?


----------



## o0infidel0o

Just a quick update...I noticed I was getting most of the warnings when I was viewing threads with QView images. Not that it's related, but when I disable all images ( using web developer toolbar), the messages stopped. I'll keep poking around and see if I can come up with anything else. Thanks!


----------



## dale5351

And I just got such a warning when I opened your thread into a new tab.  First time I have ever seen it.

Could it be one of the advertisements???


----------



## bmudd14474

If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.


----------



## dale5351

Little bit later.

It happened to me every time I opened any thread.  I got the same warning from Norton's.  Norton's claims to have blocked it, but it does seem to be a concern.

Here is info from the warning, typed (Norton would not let me cut&paste):

risk name: HTTP Zombie Exploit Toolkit Request

attacker URL: www.smokingmeatforums.com/p.php?c=<a whole bunch of random letters & numbers>

Destination Address: files.smokingmeatforums.com (67.228.167.131, 80)

Source address: 192.168.2.3  (which is local net number of my computer).

Traffic Description: TCP, port 1981

further descriptions state:

Network traffic from <MY COMPUTER NAME> matches the signature of a known attack.  The attack was resulted from

\DEVICE\HARDDISKVOLUME12\PROGRAM FILES\INTERNET EXPLORER\IEEXPLORE.EXE

Hope that helps the guys figure out what is going on.

<directions on how to turn off notification>


----------



## o0infidel0o

I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.

_src=p.php?[insert a lot of random letters and numbers here]=_ *-these random numbers seem to change, dependent upon the page I am viewing.--*


----------



## o0infidel0o

[quote name="bmudd14474" url="/forum/thread/102493/http-zombie-exploit-toolkit-request#post_583028"]
If it was the ads it would happen everywhere but from the sounds of it from his first post that it happens from threads with qview it could be the image hosting company people are using and most are using photobucket. But others do post thru the site. I notified huddler and they will figure it out.

[/quote]

Thank you...not a big deal, Norton's is blocking it, but just giving you all a heads up.  :PDT_Armataz_01_36:


----------



## stocktrader

I have been getting hit by this Zombie Exploit every 20 seconds today { Whats goin on ?}


----------



## transplant138

i been having the same problem, don't understand whats goin on. if anyone does and how to fix it, that would be great.


----------



## tigerregis

Same here. Norton is warning me every other minute. First time this has happened to me.


----------



## jirodriguez

o0Infidel0o said:


> I started poking sticks at the page source code and found a bit of javascript called skimlinks.js...there is an image associated with that bit of code. That image source has the same code as noted in my first post.
> 
> _src=p.php?[insert a lot of random letters and numbers here]=_ *-these random numbers seem to change, dependent upon the page I am viewing.--*


I think o0Infidel0o nailed it, but hopefully Huddler can confirm and correct it.


----------



## shoneyboy

I'm seeing it too, But I'm not as computer literate as some others, so I have just been ignoring it so far. Keep me in the loop if I need to do something about it. Thanks


----------



## mballi3011

I was getting the promps also and Norton is blocking it so if someone comes up with as fix let me. Keeping in mind I didn't pass the computers for dummies test.


----------



## sqwib

Same here


----------



## placebo

I run Symantec and have not had any problems. This is what the Symantec site says for this threat:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23979

and this:

http://www.symantec.com/connect/forums/http-zombie-exploit-toolkit-request


----------



## bmudd14474

We received information from Huddler that Norton is producing a false positive. Below is information from Norton's site.

*Norton Antivirus Users:*   Norton released new virus definitions last night and today which are causing users with an updated version of Norton (as of 1/11) to see false positive reports of an intrusion.  We are working to resolve the issue as quickly as possible and have sent the report to Norton.  Please disregard these alerts - we will provide additional information as we have it.  Thank you for your patience!


----------



## DanMcG

thanks for the heads up Brian


----------



## bmudd14474

Just a bit more information here.  The issue is caused by the name we use for our "tracking pixel" p.php.  The tracking pixel is used to incrementally add view counts for thread views. 

That said, any website that uses a file called p.php will trigger the exact same alert.  As an example, if you have an updated version of Norton running on your computer, if you go to http://www.facebook.com/p.php, you will see the exact same HTTP Zombie Exploit Toolkit Request alert.  If you do a quick Google search for this URL, it appears to be logged in Google's index as Facebook's sign up page.  While it is a completely different website and a different file, it will result in the same Norton alert.


----------



## pineywoods

It seems to have stopped at least it has for me


----------



## bmudd14474

Huddler changed the name of the file that Norton was generating the false positive on. Also Norton is scheduled to release a patch for their software today sometime.


----------



## jirodriguez

bmudd14474 said:


> Huddler changed the name of the file that Norton was generating the false positive on. Also Norton is scheduled to release a patch for their software today sometime.


Very cool. Thanks for the follow up and the updates. I figured it was a false positive, or something similar, but you never know in this wonderfull computer age we live in.


----------



## TulsaJeff

Thanks Brian and Huddler for continuing to keep this the best and safest smoking meat forum on the net. I was never worried and I knew that with Brian, and Huddler on the watch, everything would be ok.

You can fit what I know about Norton, computer viruses and zombies on the pointy end of a sharpened pencil


----------



## scarbelly

Is this fix going to stop the pop up for vanilla ice's new tv show too?


----------



## abigail4476

Wow, Brian - your sleuthing abilities are great.  
	

	
	
		
		



		
		
	


	





    Nice job.


----------



## TulsaJeff

I believe they are still working on that fix and should be available soon.


----------



## o0infidel0o

Thanks all for the quick response and followup! The thought of a false positive had crossed my mind, but figured I would drop a line none-the-less. Again, thanks for the information and quick responses.  :PDT_Armataz_01_34:


*EDIT- Changed thread title to SOLVED, as it appears the issue is in good hands....


----------



## meateater

Dang I was looking forward to some positive falsies!


----------



## dale5351

The alert did not happen to me on opening this thread.  My Norton's is constantly updating its definitions, and so something got fixed somewhere.

Thanks to whoever :-}}


----------



## SmokinAl

I think it's been solved. I'm not getting the notices anymore this morning.


----------

