Getting Web Attack: Exploit Toolkit Website 115 alerts from Norton Security while using Firefox
I keep getting alerts from Norton while browsing ran Norton's scan and MBAM then ran Norton's Power Eraser. I did not fine the source of the problem. I added an entry to my hosts file hoping it would block the IP but it doesn't seem to work, I may have done something wrong. The entry I made is: 103.224.212.246 0redird.com at the end of the hosts file. Below is the log from Norton security, the full URL is very long:
Category: Intrusion Prevention Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description 9/8/2022 4:29:31 PM,High,An intrusion attempt by 0redird.com was blocked.,Blocked,No Action Required,Web Attack: Exploit Toolkit Website 115,No Action Required,No Action Required,"0redird.com (103.224.212.246, 80)","http://0redird.com/jr.php?gz=1OEmizLy7QYVD%2F%2B2wVJzO349fnNvVUhsTGdjbWhyaGllTWp3YzVnNkNISUJUcy90a3J0dk1WOVcvWFp1akhIZk9IV1gzSUhCUVlqelYzZGNPbEx3eUVIdGllWjlybTVQaGpMRWFLaEVZMSt4RURuLzFtQUI0WXowUU83d0VZM2JybmZ5WFZaaXVKTFJlM0tBeHg3R2Z6RTRHeXlybG1lYmFjSFBGSFZlY2FJNVBOREhZUEJDZWU3OFhyaDFiNEZwSU5Da0x6YndWaWNtc1RCVHZUWHBVMjREQ1RoVU1VRlFuUUduNmdwYW5LYWFTYjFaNVFWcnhmSGdWL1RTY3Nvc3k4TEpCaGdzeFlmeCsrS0FIb0pqazNrZFppUXRKZEg0MlFrNkUwSlRGRXJQaXNBRVFrdUhETENVMU45NDNYVmFuMzgyZHhBeTg4dS9FdlB2aXdKQ2pYL3RUVkNMeC9YSVZLcThLWkk1SkhiRnhtR2JiM3lZSTBncjJ1OTdqRkg3Nk5zS3JBR1E5M1NnU2Q0SmNpNlZkaE82ajRWd2hPd2hma0FEM1BXdC9RUmxQZnFldlF1NG5wSFRyZVBBNzBCanJKbGRDVEQ3YkU5TWUyYjUwejBHS2lvSmdtZmc5dWlWbG5xakFNR0xsU2tMS0syaUNFdHNwVFBVZmxqOHNmbCtXRldNaWx6MlpPTit5VDdpRTFNZi9nL3VHMUh0QVRuNU0yTmJYeU5DaDNKN2pQUXpLY0J2TkdxZTRwRklGRllzUzJWNUJBclhuRklKYTI1WWM2d1hScERqUGdPazhxR1MrR210cm13VUdpLzlySTRIK2kwempGUXR6UDZyMU1sWUd1S1FxTFBoZkMvTExKVWszSWxldzVHSHRJR3ZYMGlZWThOTXZ5TjFPOXBqWlROK1RpKzNNd09FWHZjc0hYQzJxSm9TQlR3ZjdFQ1lKd3gvY1JTTTh1VTYzOXg3MUxuNGRvOUhXQXBiN3ZhTndHMzc1dVVLUFIxQVpEck94UVRyRjVhWFpGMzhmM0pLOWsxRDVKdEVIdU1MV2crWnZoODFYL21wZ3FZWDRQZ2ZFcXhZRTNaZUQrWmdGMGNsQTRtZ1drdm1ENkVWV29EOWl3NUJHcVJxbTBRd1o1aGVYbHZJMmZhaG1BWEpBQ2NIOTBrbktVcWxySmdONDFXZTlrdVNDVThNczFvQnkxdzllakFZS0pveUswNzJkd0ovMHhpL0Y5OUpFYmsyTXVHdkxqSXJDNFlJQmk3MERCOTBXZ1Q2VjUzU0hpOXZ4d21QSjlkUGdRamxPZlJmUHJOOEdtbEVOdjhuWitVbjYwbkkxQmxEMTRRcHg5T1Z6MWprRXc0MEx5VGMweEZLdFUyZ21LNGlXVm15d21jS3lkU25vZFFNejJTMWRaZ1F0Uk9WMlEyMFdNWHlPRUJoNXUvM2REUUNsU0NQY2ROcUNzaUlFMDBCZExab24rTTNpWjZTRk5SaUlZVSt6TkJ3S3JZTkdjbmJBWVVsODFic0g0V0FHKzBWLzRrOVNnUXdEemtLaTJrQzBPYlBWY29ZZ285VFVXeEwrK0Y0MDFhUUwyY295YUJCVDlBM3lTcW5pcGpPYVB3WXVIRXRPc0gxRUNrWGl2d1NXZDlsVVExUXdYdmdTZFk0SXlka2hoUVVJZGFjZ05vVzRYSkw1SzBXV0NaNHRQK3lmRFdXUzNDaGpuTWZMV0ZzVnFEaWxmTTBMMTBEOUNBRkt5cFFUZW9QeTlJWnhTODQveEZnZHREY0d1QWhNdWdkcDFwcU1BTkRQdVIwTTcvclA5UzRtaXRlb0JkTXBLMHJqYy94RzhXaDk5SEdHT01WWWl1b2ZlV3Z6NDlVTWloRnVQNnpsNUc2c2RQYTl5bHkzKzNhK1laeE9wbXRDTTJ2V3VNZ2lsWWdTWkJ5UlVoWnRlM0tzVjNuNmMwSXVMUFJreFFNdmN3byswNHgrSVlIbzVENGdaNHM1cWJNUy9LbU9MSWNwUklaQT09&vs=1024:576&ds=1920:1080&sl=0:0&os=f&nos=f&swfV=0.0.0&if=f&sc=f&gpu=Google%20Inc.%20(Intel)%20-%20ANGLE%20(Intel,%20Intel(R)%20HD%20Graphics%20Direct3D11%20vs_5_0%20ps_5_0)&anura_res=","FANMAN-PC (192.168.0.101, 2237)",0redird.com (103.224.212.246),"TCP, www-http" Network traffic from http://0redird.com/jr.php?gz=1OEmizLy7QYVD%2F%2B2wVJzO349fnNvVUhsTGdjbWhyaGllTWp3YzVnNkNISUJUcy90a3J0dk1WOVcvWFp1akhIZk9IV1gzSUhCUVlqelYzZGNPbEx3eUVIdGllWjlybTVQaGpMRWFLaEVZMSt4RURuLzFtQUI0WXowUU83d0VZM2JybmZ5WFZaaXVKTFJlM0tBeHg3R2Z6RTRHeXlybG1lYmFjSFBGSFZlY2FJNVBOREhZUEJDZWU3OFhyaDFiNEZwSU5Da0x6YndWaWNtc1RCVHZUWHBVMjREQ1RoVU1VRlFuUUduNmdwYW5LYWFTYjFaNVFWcnhmSGdWL1RTY3Nvc3k4TEpCaGdzeFlmeCsrS0FIb0pqazNrZFppUXRKZEg0MlFrNkUwSlRGRXJQaXNBRVFrdUhETENVMU45NDNYVmFuMzgyZHhBeTg4dS9FdlB2aXdKQ2pYL3RUVkNMeC9YSVZLcThLWkk1SkhiRnhtR2JiM3lZSTBncjJ1OTdqRkg3Nk5zS3JBR1E5M1NnU2Q0SmNpNlZkaE82ajRWd2hPd2hma0FEM1BXdC9RUmxQZnFldlF1NG5wSFRyZVBBNzBCanJKbGRDVEQ3YkU5TWUyYjUwejBHS2lvSmdtZmc5dWlWbG5xakFNR0xsU2tMS0syaUNFdHNwVFBVZmxqOHNmbCtXRldNaWx6MlpPTit5VDdpRTFNZi9nL3VHMUh0QVRuNU0yTmJYeU5DaDNKN2pQUXpLY0J2TkdxZTRwRklGRllzUzJWNUJBclhuRklKYTI1WWM2d1hScERqUGdPazhxR1MrR210cm13VUdpLzlySTRIK2kwempGUXR6UDZyMU1sWUd1S1FxTFBoZkMvTExKVWszSWxldzVHSHRJR3ZYMGlZWThOTXZ5TjFPOXBqWlROK1RpKzNNd09FWHZjc0hYQzJxSm9TQlR3ZjdFQ1lKd3gvY1JTTTh1VTYzOXg3MUxuNGRvOUhXQXBiN3ZhTndHMzc1dVVLUFIxQVpEck94UVRyRjVhWFpGMzhmM0pLOWsxRDVKdEVIdU1MV2crWnZoODFYL21wZ3FZWDRQZ2ZFcXhZRTNaZUQrWmdGMGNsQTRtZ1drdm1ENkVWV29EOWl3NUJHcVJxbTBRd1o1aGVYbHZJMmZhaG1BWEpBQ2NIOTBrbktVcWxySmdONDFXZTlrdVNDVThNczFvQnkxdzllakFZS0pveUswNzJkd0ovMHhpL0Y5OUpFYmsyTXVHdkxqSXJDNFlJQmk3MERCOTBXZ1Q2VjUzU0hpOXZ4d21QSjlkUGdRamxPZlJmUHJOOEdtbEVOdjhuWitVbjYwbkkxQmxEMTRRcHg5T1Z6MWprRXc0MEx5VGMweEZLdFUyZ21LNGlXVm15d21jS3lkU25vZFFNejJTMWRaZ1F0Uk9WMlEyMFdNWHlPRUJoNXUvM2REUUNsU0NQY2ROcUNzaUlFMDBCZExab24rTTNpWjZTRk5SaUlZVSt6TkJ3S3JZTkdjbmJBWVVsODFic0g0V0FHKzBWLzRrOVNnUXdEemtLaTJrQzBPYlBWY29ZZ285VFVXeEwrK0Y0MDFhUUwyY295YUJCVDlBM3lTcW5pcGpPYVB3WXVIRXRPc0gxRUNrWGl2d1NXZDlsVVExUXdYdmdTZFk0SXlka2hoUVVJZGFjZ05vVzRYSkw1SzBXV0NaNHRQK3lmRFdXUzNDaGpuTWZMV0ZzVnFEaWxmTTBMMTBEOUNBRkt5cFFUZW9QeTlJWnhTODQveEZnZHREY0d1QWhNdWdkcDFwcU1BTkRQdVIwTTcvclA5UzRtaXRlb0JkTXBLMHJqYy94RzhXaDk5SEdHT01WWWl1b2ZlV3Z6NDlVTWloRnVQNnpsNUc2c2RQYTl5bHkzKzNhK1laeE9wbXRDTTJ2V3VNZ2lsWWdTWkJ5UlVoWnRlM0tzVjNuNmMwSXVMUFJreFFNdmN3byswNHgrSVlIbzVENGdaNHM1cWJNUy9LbU9MSWNwUklaQT09&vs=1024:576&ds=1920:1080&sl=0:0&os=f&nos=f&swfV=0.0.0&if=f&sc=f&gpu=Google%20Inc.%20(Intel)%20-%20ANGLE%20(Intel,%20Intel(R)%20HD%20Graphics%20Direct3D11%20vs_5_0%20ps_5_0)&anura_res= matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE. To stop being notified for this type of traffic, in the Actions panel, click Stop Notifying Me. Any help will be appreciated, I can't find any info about this exploit inmy web searches.
Kaikki vastaukset (15)
That looks like some kind of tracking request with your system information in it. It might be generated by either (A) a page you visited or (B) an add-on.
Let's start with add-ons. You can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:
- Ctrl+Shift+a (Mac: Command+Shift+a)
- "3-bar" menu button (or Tools menu) > Add-ons
- type or paste about:addons in the address bar and press Enter/Return
In the left column of the Add-ons page, click Extensions. On the right side, find the "Manage Your Extensions" heading.
If there is at least one extension before the next heading -- "Recommended Extensions" -- please continue:
Then cast a critical eye over the list below that heading. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove). For your privacy and security, don't let mystery programs linger here.
Any improvement?
If the Extensions panel is blank or inaccessible:
Restart Firefox in its Troubleshoot Mode to temporarily deactivates all extensions to prevent interference.
You can restart Firefox in Safe/Troubleshoot Mode using either:
- "3-bar" menu button > Help > Troubleshoot Mode... (before Fx88: Restart with Add-ons Disabled)
- (menu bar) Help menu > Troubleshoot Mode... (before Fx88: Restart with Add-ons Disabled)
and OK the restart. A small dialog should appear. Click the Open button (before Fx88: "Start in Safe Mode" button).
Note: Don't use the Refresh without first reviewing this article to understand what will be deleted: Refresh Firefox - reset add-ons and settings.
Any improvement?
Thank you for your reply! There were 3 entries for extensions: Enabled ones were Firefox Lightbeam and Video DownloadHelper. I just removed Lightbeam since it appears it has not been supported in years and I had forgotten it was there. I do use the Downloadhelper so I left it. Disabled is Mozilla Archive Format. I installed it as an alternate to Downloadhelper but disabled it long ago.
Thanks for the link to the article about resetting Firefox, I was planning to look into a refresh but was concerned about what I might lose. I'll read that after posting this.
I am thinking you may be right about it being related to a page or pages I visited from links in some emails. II will have to try to keep a closer eye on the corner where the alerts pop up and try to figure out what emails may have links that might be causing this. Can I just block this traffic if that is the case using my hosts file or some other tool/method? I am using Win7 if it makes a difference. I tried to retrace my activities this morning that caused the alert but may have deleted the email with the link. I'm sure there will be more if that is the cause, this has been an intermittent issue for quite a while.
Thanks again for your efforts.
There's probably a way to block the connections. I don't use any add-ons like that myself.
I typically start up Outlook first when I boot my system in the mornings, but today I started Firefox first after logging in. I immediately got the Norton alert. This would seem to imply that whatever is happening is related to the browser startup activities (or some sort of related infection) and not any links from emails or searches as I had suspected.
Firefox opened the normal home page which has the pinned "shortcuts" for websites I visit and the "Pocket" news articles. I have no idea if Firefox pings the pinned sites at startup or what might be happening. I just turned off the "Recommended by Pocket" and the "Shortcuts" by using the gear icon in the upper right of the page. I will have to see if this solves the issue and then turn them on one at a time to see if it comes back. Other than that I don't know what else to try. It might take a while to know if anything has changed, I have not figured out how to cause the warning to appear at will, so it will take a day or two to be sure it is not appearing. I had 4 "intrusion attempts" yesterday, and one just after Midnight that I missed so 2 so far today.
I am at a loss for how to find out what this "exploit" is trying to do or how to stop it. Any additional assistance from members would be appreciated. I will attempt to contact Norton if I can get a chat session. My hearing is poor and foreign accents make it very difficult for me to follow their speech if I call them.
I will post an update if I figure anything out in case anyone else runs into this issue.
edit: removed spaces before each section causing horizontal scroll bar.
Muokattu
Hi, please don't start new lines with any spaces, they mess up the formatting of your posts.
I previously mentioned using Troubleshoot Mode for another purpose. Could you try restarting in Troubleshoot Mode to see whether you get the identical messages from Norton:
jscher2000 - Support Volunteer said
Restart Firefox in its Troubleshoot Mode to temporarily deactivates all extensions to prevent interference. You can restart Firefox in Safe/Troubleshoot Mode using either:and OK the restart. A small dialog should appear. Click the Open button (before Fx88: "Start in Safe Mode" button). Note: Don't use the Refresh without first reviewing this article to understand what will be deleted: Refresh Firefox - reset add-ons and settings. Any improvement?
- "3-bar" menu button > Help > Troubleshoot Mode... (before Fx88: Restart with Add-ons Disabled)
- (menu bar) Help menu > Troubleshoot Mode... (before Fx88: Restart with Add-ons Disabled)
Not a refresh -- just testing with extensions deactivated. Thanks.
After closing and re-launching FireFox in normal mode with Pocket and shortcuts enable (the original configuration) I received another alert. This seems to indicate the Shortcuts or Recommended by Pocket are involved. With them still enabled I have switched to Troubleshoot Mode as you requested. I may take a while to know if it makes a difference. The alerts have been as close as 1 second apart (only one time on 9-6 but often are hours apart. I'll leave the browser open in Troubleshoot Mode(unless habit takes over and I close it without thinking about it) and see what happens today. Thanks again for your assistance and sorry if I got ahead with the pocket/shortcut test.
jscher2000- I have run my browser in troubleshoot mode and did not see any alerts in that mode. This was with shortcuts and Pocket enabled as in the original configuration. I did close the browser a few times (habit developed in part due to a tenacious problem with Firefox starting multiple instances) and did see the alerts when opening Firefox before I could get it back into troubleshoot mode. I don't know if you can somehow make troubleshoot mode persistent, that would be helpful. I'm not sure what this means.
Dropa- I can't conclude definitively that it is a Norton issue when I only get the Intrusion attempt alerts when I am running Firefox on my main machine with Pocket and shortcuts enabled and when not in troubleshoot mode. Running in Troubleshoot mode or disabling Pocket and shortcuts eliminates the alerts. It also is interesting that it frequently happens when I first launch Firefox and before I interact with it. I have not tried disabling just pocket or just shortcuts at this point. I understand Norton could be triggering on something that is not a "real threat" but I am concerned about frequent high severity intrusion attempts being reported because I can find no information at all about Exploit Toolkit Website 115. I also have not tried setting my default browser to Chrome or Edge, nor have I tried to exclusively use them to see if I get any alerts. I want to use Firefox. In the few instances where I have used the alternate browsers I have not seen the alerts. I also have a less-used win10 system with Firefox and Norton but have seen no alerts. It looks like it is something involving Firefox on this machine to me. All of this is why I am here, hoping to learn something and get rid of these alerts. Thanks for taking the time to read and reply.
fanman2 said
jscher2000- I have run my browser in troubleshoot mode and did not see any alerts in that mode. This was with shortcuts and Pocket enabled as in the original configuration. I did close the browser a few times (habit developed in part due to a tenacious problem with Firefox starting multiple instances) and did see the alerts when opening Firefox before I could get it back into troubleshoot mode. I don't know if you can somehow make troubleshoot mode persistent, that would be helpful. I'm not sure what this means.
It usually means that one of your add-ons is the culprit. Try disabling any that you can live without for four hours and see how that works out (click its slider switch on the Add-ons page).
Do you see more extensions when you start Firefox in Troubleshoot Mode and possibly on the "Help -> More Troubleshooting Information" (about:support) page in case some are hidden for some reason?
jscher2000- I disabled the VideoDownloadHelper which was the only add-on that was enable. All the others were disabled and have been removed. I am still getting alerts.
cor-el- I did find that list under More Troubleshooting Information earlier and was going to ask about them. Here is the list, I do not know how to disable these add-ons: Add-ons Search Detection extension 2.0.0 true addons-search-detection@mozilla.com Amazon.com extension 1.3 true amazondotcom@search.mozilla.org Bing extension 1.3 true bing@search.mozilla.org DuckDuckGo extension 1.1 true ddg@search.mozilla.org eBay extension 1.3 true ebay@search.mozilla.org Google extension 1.2 true google@search.mozilla.org Wikipedia (en) extension 1.1 true wikipedia@search.mozilla.org Video DownloadHelper extension 7.6.0 false {b9db16a4-6edc-47ec-a1f4-b86292ed211d} I'm not sure how some of these got on there, I never intended for DuckDuckGo to be integrated into Firefox for example, only a shortcut to it. I'm curious why these exist and what value they provide? I wouldn't have thought visiting or bookmarking a site would cause add-ons to be installed. This system has a long history. and I may have accepted changes in the past but I do not recall doing so. I am usually careful about allowing changes that I don't fully understand (ie: most of them!). I don't understand why I would need them. I did not find any difference in the list when in troubleshoot mode so no hidden add-ons.
Muokattu
Extension that have an ID that ends with "@search.mozilla.org" are built-in search engines and can't be removed, so don't worry.
I revisited the posts here and nothing seemed to give me a solid fix. I then double-checked the entry in my hosts file and just for grins copied and pasted the URL in place of the one I had typed. I'm not sure if I mistyped something or why the behavior changed but after a couple of reboots (not the first one) for quite some time I did not receive the warnings. So apparently the hosts entry is working now, blocking the 0redird.com site.
Today, 10-10-22 I had typed in napaauto and then hit CTRL-enter to complete the URL and was unable to reach the site. I realized that I had typed the wrong info, napaonIine was what I should have entered. I received a message: Unable to connect
Firefox can’t establish a connection to the server at 0redird.com. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer’s network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
So typing in that incorrect URL makes it attempt to go to 0redird.com, and I would expect it to fail as the hosts file would prevent it. It also failed using Chrome and Edge (now that the hosts emtry seems to be working), so my initial results that seemed to indicate the problem was with Firefox may be incorrect. 0redird.com apparently redirects to www.trellian.com from what I can find on the web. Most indications are that it is safe, but Norton was of course warning about the Exploit Toolkit Website 115.
I made up a bogus URL and it did not redirect to 0redird.com so maybe only some bad URLs redirect. I have no idea what causes Firefox to seemingly redirect to that URL periodically or why. I am at a loss for where to look, but it appears this may not be just a Firefox issue. I have the hosts "fix" that seems to be stopping the alerts but there is still some sort of underlying issue. I am seeing more info on 0redird.com in searches but still nothing that gives me any direction. Thanks for the efforts to help.
What DNS service do you use? Some DNS services will redirect browsers asking for a nonexistent domain to a page of pay-per-click links.