• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Message: web attack: malicious toolkit iframe injection 3

Hi,

I keep receiving every few minutes an alert message about a "web attack: malicious toolkit iframe injection 3", coming from 74.220.207.71, origin broadintel.com 

I've difficulties understanding the detailed message. Here is its translation in English (I've a French NIS install): the network traffic incoming from 74.220.207.71 has a known attack signature. The attack is originated by \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\NORTON ONLINE\ENGINE\2.1.0.23\CCSVCHST.EXE (then follows instructions how to disable receiving same messages again).

If I correctly understand, the attack should be originated by accessing a malicious or compromised web site redirecting to a page where the attacker tries to inject trojans on the PC.

Now, to my knowledge applications on the PC were not visiting such page, and looks application accessing the page was NIS itself, while I would expect here appearing something else (i.e. firefox, if web browser was the guilty app).

Any help from the community?

Thanks,

g.

[edit: Please do not direct link to dangerous websites per the Participation Guidelines and Terms of Service.]

Replies

Kudos0

Re: Message: web attack: malicious toolkit iframe injection 3

I found the origin of the message: it is the MediaCoder application.

If launching the application (the CUDA transcoder version), the application checks on line for the license of the transcoder, and most probably the web site is compromised.

In fact, it is enough accessing broadinte.com from a web browser to get the same message from NIS.

Two observations:

- if asking about the site to Norton Safe Web, you get the message the site is safe with no risks at all

- the NIS error message says the attack is coming from the NIS proxy (?), without reporting the real application trying to access the incriminated web site

g.

[edit: Please do not direct link to dangerous websites per the Participation Guidelines and Terms of Service.]

This thread is closed from further comment. Please visit the forum to start a new thread.