Defensetalk Malicious Picture?

Beatmaster

New Member
Hello Guys.

I was browsing to Defensetalk.com main page and suddenly my NIS 2013 (Norton Internet Security 2013) Start alarming me that on Defensetalk.com there would be a malicious picture.
And it refuses to open up the page as the webattack got blocked.
Browsing to the forum works wonder, but going directly to Defensetalk.com does not work for me.

Here is a screenshot.
Link

Just letting you guys know.
Cheers
 

Beatmaster

New Member
  • Thread Starter Thread Starter
  • #4
What does that message attack have, error?

The screenshot shows
https://img.defencetalk.com/wp-content/themes/dtstyles/images/downh.png

That file and the path do not exist on the server.

Hello Webmaster,

If you take a look at the NIS 2013 alert then you will see the direct adress of that picture and it mentions specific the adress and ip + port.
cdnpullz.defencetalk.com (108.161.189.192, 80)
It was DEFFO not an error, as the path and file are correct BUT.
In this case the picture named: downh.png has probably be renamed or changed or deleted, given the fact it took 3 days for you to see this forum post and reply to it so thats a good reason to assume that the above scenario is probably right.
Anyway given the details in the log (And the 20+ other logs i have about the same problem) See here


It seems that one of the displayed ads or promotion pictures or external news displayed on this domain was dirty. (Either webside side or server side)
Another explaination would be that someone was trying to code inject something into one of the pictures.

Anyway for your reference i did check what kind of "malware" was being detected.
Link
Now i assume that you as webmaster can see which files are changed or removed or perhaps one of the other webmasters/admins (If any).

Obviously the malware seems to be gone so thats good, but let me say this: Its not uncommon that well known webpages are being used to spread malware, and often the owner does not even know, thanks to all the vulnerabilities within scripting, java, flash and other online webpage related codes. And pictures are well known to be exellent ways of penetrating client side computers because of those very same vulnerabilities.
On top of that most people do not have a updated/secured pc with good browser setup.

But end good all good right? anyway ill keep the logs stored just in case you want a copy of them so you can check them in detail.
Cheers and thank you for checking.
 

webmaster

Troll Hunter
Staff member
cdnpullz.defencetalk.com (108.161.189.192, 80) url is of a CDN network that we use and files are often cached. I've cleared the cache so any deleted files on the server are not accessible through the CDN.

We have deployed number of mechanisms to scan the website/server regularly externally and internally and have not detected anything.

If you see any other errors or alerts, be sure to post here or faster response, defencetalk at gmail dotcom

thanks!
 

Beatmaster

New Member
  • Thread Starter Thread Starter
  • #6
cdnpullz.defencetalk.com (108.161.189.192, 80) url is of a CDN network that we use and files are often cached. I've cleared the cache so any deleted files on the server are not accessible through the CDN.

We have deployed number of mechanisms to scan the website/server regularly externally and internally and have not detected anything.

If you see any other errors or alerts, be sure to post here or faster response, defencetalk at gmail dotcom

thanks!
All seems clean as a wissle.
Cheers
 
Top