Edit: Thanks for working with me on this brother. Just taking precautions and ensuring the security of our home. You've been nothing but professional during our conversation.
Yeah, I don't believe the file is there, but a crawler did find that sub domain at one point. I don't think anyone with ftp access on the mod team put it there. I just found it odd the timeline matched with the sophos block. Thank you for the quick reply my man. Go ahead and hide and or delete this thread. I made it public hoping the reports would reach you.
I think it's all false. I can't see any HTTP requests on there which confirm there was ever malware present. Just them checking URLs of where malware could be, and seeing it's not there...
The only person with any server access is me (and that's always been the case). We also run our webservers in containers, which are destroyed and created often from a very basic Docker image.
I think our SSO flow is triggering a lot of antiviruses, because it generates multiple random strings.
I will leave the thread up. If anyone wants to look into this further and prove me wrong, then that is welcome.
That's great to hear you go to such lengths to make sure everything is secure. Thank you for not jumping the gun and straight up bashing me for stumbling across something that made me question the timeline. Never doubted your skills nor intention. Thanks again. I'm off to bed, driving the mom to dialysis in 4 hours. Have a great night fam. <3
Oh, I just thought of something. If you have another site or non public (on another domain) version of the site for testing updates; check to see if alienvault is checking possible locations of uploaded infected files. It may give the ultimate answer as to whether it is all random or not. I don't have any projects up at the moment or I would check myself. Anyways, good night once again.
Check the response code. It's 503 ("HTTP/1.1 503 Service Temporarily Unavailable"). I don't see how they ever concluded it was there, if the server clearly said it wasn't.
u/Doggos
Edit: Thanks for working with me on this brother. Just taking precautions and ensuring the security of our home. You've been nothing but professional during our conversation.
Yeah, I don't believe the file is there, but a crawler did find that sub domain at one point. I don't think anyone with ftp access on the mod team put it there. I just found it odd the timeline matched with the sophos block. Thank you for the quick reply my man. Go ahead and hide and or delete this thread. I made it public hoping the reports would reach you.
I think it's all false. I can't see any HTTP requests on there which confirm there was ever malware present. Just them checking URLs of where malware could be, and seeing it's not there...
The only person with any server access is me (and that's always been the case). We also run our webservers in containers, which are destroyed and created often from a very basic Docker image.
I think our SSO flow is triggering a lot of antiviruses, because it generates multiple random strings.
I will leave the thread up. If anyone wants to look into this further and prove me wrong, then that is welcome.
That's great to hear you go to such lengths to make sure everything is secure. Thank you for not jumping the gun and straight up bashing me for stumbling across something that made me question the timeline. Never doubted your skills nor intention. Thanks again. I'm off to bed, driving the mom to dialysis in 4 hours. Have a great night fam. <3
Oh, I just thought of something. If you have another site or non public (on another domain) version of the site for testing updates; check to see if alienvault is checking possible locations of uploaded infected files. It may give the ultimate answer as to whether it is all random or not. I don't have any projects up at the moment or I would check myself. Anyways, good night once again.
Additionally, for this supposed piece of malware: https://otx.alienvault.com/indicator/file/c5dbcb74a20b2734fb121941c28d946cabbfb398d497f0cdf5de0bc46cdfc5a5
Check the response code. It's 503 ("HTTP/1.1 503 Service Temporarily Unavailable"). I don't see how they ever concluded it was there, if the server clearly said it wasn't.
This all looks like a perfectly normal conversation to me.