Results 1 to 12 of 12

Thread: Postimage - A security risk?

  1. #1
    Senior Member
    Uncle Fester's Avatar
    Join Date
    Jan 2008
    Location
    Commonly found in a pantry or the bottom of a fridge, searching for grains, fermented or distilled
    Posts
    5,773
    Thanks
    2,014
    Thanked 3,946 Times in 2,238 Posts
    Rep Power
    1808
    Reputation
    72418

    Default Postimage - A security risk?

    I mentioned in some posts in General chat that postimages are being blocked for me. I am using a MacBook Pro.
    Initially I thought the 'offending' blocker was a Malware detector from NordVPN called CyberSec because after I disabled it I could
    see a postimage LINK that Enf kindly provided me.

    It turns out however that I still can not see embedded postimages in the forum, even if I fully shutdown NordVPN.
    On top of that I can not see the embedded images on my Phone(has NordVPN) or another Linux laptop (with and without PIA VPN enabled),
    There is just empty space.
    I have everywhere a lot of security and tracking blockers in place, built into browsers, hosts file, etc... too much to go through all this.

    Too bad I thought, I will just live with that but this morning when I wanted to log in I was getting these pop up banner 'warnings' ON MY LOGIN PAGE labelled by postimg.cc

    For safety reasons I took the 'screenshot' with my phone:



    I had already enabled CyberSec again and closed the postimg page but too late this malware had sneaked past.

    My login page is only allowed to show system warnings. I have never seen spam popups from websites on my log in page.
    I don't even get pop banners on my browser pages, how the heck did they manage that?
    Somehow postimg has managed to create a script to override this.
    If it capable of doing that it could be capable of reading the keystrokes of my log in.

    These 'notifications' wouldn't go way. So instead of logging in, I held down the power button for 10 seconds and after that an SMC reset.
    The pop up did not occur anymore so hopefully the script is not resident.

    At least I now have confirmation that CyberSec is doing something right.
    I am an arrogant, irritating RSole.

  2. The Following 2 Users Say Thank You to Uncle Fester For This Useful Post:

    mtv (08-08-21),tristen (09-08-21)



Look Here ->
  • #2
    Premium Member
    wotnot's Avatar
    Join Date
    Nov 2019
    Posts
    1,710
    Thanks
    712
    Thanked 1,551 Times in 823 Posts
    Rep Power
    701
    Reputation
    31030

    Default

    Just had a peek-boo out of interest (although the image you speak of displayed fine here)....I don't think it's postimages.org directly ... seems to me someone is spoofing their alias of postimg.cc (or the hosting site they use has lost control)

    At one stage, postimg.cc ended up redirecting me to a porn site...but I had to work at it (disable ublock a couple of times on landing/redirect pages, and stop pihole from intercepting)...but eventually I got to a website with porn images of middle aged russian women...naked...so it was more like a horrorshow than porn, but you get the idea. According to records, postimage uses for site hosting (in Iceland), and there's something about that site that makes the spidey senses tingle a bit...dunno, maybe too many big discounts makes me nervous.

    If you search about a bit, you will find reports of postimages.org being a pornsite, so it's not a new thing.

    Just to confound things, while I was checking out postimg.cc everything seemed to start working as it should again, with the alias landing back at postimages.org mainpage like it should....strange, but obviously someone's futzing with things.

    Either way, looks like man-in-the-middle stuff, not postimages themselves,...so I turn pihole & ublock back on, and continue .... like I say, wasn't a problem here anyway but I do get curious when things work for me, and not for others =)

  • The Following 3 Users Say Thank You to wotnot For This Useful Post:

    mtv (08-08-21),tristen (09-08-21),Uncle Fester (08-08-21)

  • #3
    Senior Member
    Uncle Fester's Avatar
    Join Date
    Jan 2008
    Location
    Commonly found in a pantry or the bottom of a fridge, searching for grains, fermented or distilled
    Posts
    5,773
    Thanks
    2,014
    Thanked 3,946 Times in 2,238 Posts
    Rep Power
    1808
    Reputation
    72418

    Default

    Looks like MTV or somebody here did some magic.

    The piccies are suddenly all back.
    I can even see the jokes now.

    Thanks
    Last edited by Uncle Fester; 09-08-21 at 12:17 AM.
    I am an arrogant, irritating RSole.

  • #4
    Senior Member
    Uncle Fester's Avatar
    Join Date
    Jan 2008
    Location
    Commonly found in a pantry or the bottom of a fridge, searching for grains, fermented or distilled
    Posts
    5,773
    Thanks
    2,014
    Thanked 3,946 Times in 2,238 Posts
    Rep Power
    1808
    Reputation
    72418

    Default

    ...and gone again, spooky.
    Only the images that where cached by my browser last night are still there.
    I am an arrogant, irritating RSole.

  • #5
    Premium Member
    wotnot's Avatar
    Join Date
    Nov 2019
    Posts
    1,710
    Thanks
    712
    Thanked 1,551 Times in 823 Posts
    Rep Power
    701
    Reputation
    31030

    Default

    Yeah, like I say, when I was checking it out, things were changing and flapping about....could be we\re looking at an active compromise...ie; still in progress....always the case when something's obviously screwed up, but nobody's coming out to say "we have been hacked" =)

  • 09-08-21, 11:34 AM

    Reason
    Trolling... again.

  • #6
    Administrator
    mtv's Avatar
    Join Date
    Apr 2008
    Posts
    18,972
    Thanks
    6,321
    Thanked 13,312 Times in 6,290 Posts
    Rep Power
    4848
    Reputation
    202559

    Default

    Quote Originally Posted by Uncle Fester View Post
    Looks like MTV or somebody here did some magic.
    Not me. (and noted the issue has returned)

    I'm not aware of any admin changes affecting this.

    Nobody else has reported any issues.

  • #7
    Premium Member
    wotnot's Avatar
    Join Date
    Nov 2019
    Posts
    1,710
    Thanks
    712
    Thanked 1,551 Times in 823 Posts
    Rep Power
    701
    Reputation
    31030

    Default

    The original image link Enf posted (coronavirus thread post #2215), links back to --however-- the actual image is at

  • #8
    Premium Member
    wotnot's Avatar
    Join Date
    Nov 2019
    Posts
    1,710
    Thanks
    712
    Thanked 1,551 Times in 823 Posts
    Rep Power
    701
    Reputation
    31030

    Default

    @fester -- it'd be up to you to discover just where the block/filter is being applied, but that's what's going on for you ; postimg.cc (and others) are appearing (on and off) as possibly malicious sites, and the block gets applied to the IP address pools held by namecheap.com

    Best I can figure it from behind the AU firewall (NBN =), it seems namecheap.com are one of the goto sites to hoist malicious content/websites ~ anyone can do this for themselves, but what I did was have a quick rifle through the 'Junk Email' folder in my hotmail account, note the domain named used for the return reply (to scam you) on several emails, and found more than 50% were domain names/registrations held by namecheap.com ; there's some 'interesting' comments/reviews out there about namecheap.com on reddit and the like...not very positive ones either of course...

    I was picking holes in many of my own hypotheses as to whether namecheap.com was complicit, or else that someone else not them or their (legitimate) clients, has somehow figured out an exploit to hijack web email services as provided by the $9.99 namecheap domain hosting cost. I'll just stress that what I'm about to type, leads to a website which most certainly is dodgy as buggery, and while I feel safe & secure, in a private FF window running ontop of linux...YMMV if that's not the case, so I'll type it, not cite it --> jotfilm dot com -- the reason I went I there, was because the hotmail spam 'click here' link, led back to that site, however, the email itself seems to have been sent from another email account, linked to another domain name (wifbught dot com .. which is a blank page), but it's domain registration looks legit in whois, however it's 'apparently real' domain/website is officewireconnection dot com, which again looks even dodgier than the first website I mentioned here by an order of 10 =)

    Pulling on the only obvious thread dangling in the breeze....ie; name/address of jotfilm registrant withheld for privacy reasons, but these are disclosed for officewireconnection, and that leads us to Las Vegas ..or does it? Google to the rescue, 4952 S Rainbow Blvd Ste 150 #1004 Las Vegas, NV .... clickity click...hmmm....go for street view....hmm, nada, I don't see any business named 'office wire connections'.....nah.... sat view again...ahh! What's the odds here...the junk email I'm talking about, is a bitcoin based scam, so...



    Seem a little bitcoin coincidental? Or the address given is bogus ... in any event, what do all these different domain names have in common? All registered @ namecheap.com

    At a guess, there's good money in selling ten dollar a pop domain/website hosting, letting users do whatever they want, let their activities be detected by other sources to the point of you, the hosting company, getting a takedown notice, which you comply with, and now you've got an IP and some namespace back, and that 'malicious' customer only ended up using 3 days of their $9.99/month purchase, so win-win, right? Or, I figure my spidy sense was right to begin with, and somehow they've lost control...from the inside out =)

    Crazy stuff, huh...my best guess would be your VPN provider, but if not them something local to your firewall/filter(s) ; likely in both cases, the IP block/range postimg.cc is assigned to, appears on someone else's blacklist, which these providers/softwares source live/get updated frequently .. often case it's better to pay for/source blacklists and not do it yourself inhouse - it's a nightmare. So is finding out which blacklist compiler/provider has managed to ... {ahem}...finally get so sick and tired of seeing IPs out of namecheap get branded malicious, then namecheap do something so that IP is good again so it has to come off the blacklist, and then another IP from namecheap pops up as malicious again, wash/rinse/repeat more than 20 times, and finally admin goes "Right, that's it, that entire IP range is going on the list permanently, until I stop seeing warnings about bad sites popping up there"... and, right, your VPN provider probably won't know either, because they usually source blacklist feeds from a number of (trusted) providers. Same thing applies with local softwares in this regard - they usually source multiple blacklist feeds.

  • The Following User Says Thank You to wotnot For This Useful Post:

    Uncle Fester (27-08-21)

  • #9
    Senior Member

    Join Date
    Apr 2012
    Location
    14 Wombat Cres, Goanna Heights NSW
    Posts
    1,299
    Thanks
    669
    Thanked 1,056 Times in 538 Posts
    Rep Power
    532
    Reputation
    18683

    Default

    I've been using Postimage to host my online pics for years.

    When I first joined all the images were hosted at "postimage.org", but then somebody reported that domain as dodgy/dangerous/malicious/whatever, even though it was likely just a single user that uploaded something dodgy, but the rest of the user base paid the price and all embedded images got blacklisted.

    So instead of trying to get the ban lifted, Postimage just registered another domain name, "postimage.cc", and transferred all hosted content over to the new domain. Unfortunately that meant that every single embedded image in any forum anywhere now had the wrong URL (ending in .org), so all embedded images got broken. Some forums I'm a member of wrote a script to automatically convert the URL from .org to .cc and the pictures reappeared (I can't remember if Austech was one of them).

    I can only echo the sentiments above, I really doubt that the problem lies with Postimage themselves, and I REALLY hope history hasn't repeated because it was a huge PITA last time.

    Andrew

    P.S. I'll embed an image hosted by Postimage below if it helps your testing...

    Last edited by Bigfella237; 27-08-21 at 03:31 PM.

  • The Following 2 Users Say Thank You to Bigfella237 For This Useful Post:

    Uncle Fester (27-08-21),wotnot (27-08-21)

  • #10
    Premium Member
    wotnot's Avatar
    Join Date
    Nov 2019
    Posts
    1,710
    Thanks
    712
    Thanked 1,551 Times in 823 Posts
    Rep Power
    701
    Reputation
    31030

    Default

    Quote Originally Posted by Bigfella237 View Post
    I've been using Postimage to host my online pics for years.

    When I first joined all the images were hosted at "postimage.org", but then somebody reported that domain as dodgy/dangerous/malicious/whatever, even though it was likely just a single user that uploaded something dodgy, but the rest of the user base paid the price and all embedded images got blacklisted.

    So instead of trying to get the ban lifted, Postimage just registered another domain name, "postimage.cc", and transferred all hosted content over to the new domain. Unfortunately that meant that every single embedded image in any forum anywhere now had the wrong URL (ending in .org), so all embedded images got broken. Some forums I'm a member of wrote a script to automatically convert the URL from .org to .cc and the pictures reappeared (I can't remember if Austech was one of them).

    I can only echo the sentiments above, I really doubt that the problem lies with Postimage themselves, and I REALLY hope history hasn't repeated because it was a huge PITA last time.

    Andrew

    P.S. I'll embed an image hosted by Postimage below if it helps your testing...


    That image links to -->

    The domain name postimage dot cc is one of the dodgy sites, it triggers ublock alerts instantly, bypassing things lands you here;



    When I was looking through the blocklist, one name kept popping up, BODIS, so I thought lets see who they are...

    lol!...do you believe this stuff?...I never knew/thought about a company specializing in domain name monetization... goodgrief... anyhow, postimage.org/postimages.org land at the legitimate website (postimg.cc also redirects to there), and the images they receive are sent to their datacenter, and served to the world with the alias xxx.postimg.cc -- and they've gone to using a tertiary DNS server for that namespace, and any time I see that I raise one eyebrow and think I wonder if they're been subject to DoS attacks, but TBH I haven't sat there and watched to see if their servers rotated IP or not...which I suppose in itself would classify as suspicious behavior to some systems.

  • The Following 2 Users Say Thank You to wotnot For This Useful Post:

    Bigfella237 (27-08-21),Uncle Fester (27-08-21)

  • #11
    Senior Member
    Uncle Fester's Avatar
    Join Date
    Jan 2008
    Location
    Commonly found in a pantry or the bottom of a fridge, searching for grains, fermented or distilled
    Posts
    5,773
    Thanks
    2,014
    Thanked 3,946 Times in 2,238 Posts
    Rep Power
    1808
    Reputation
    72418

    Default

    Didn't know that I would open such a can of worms with this.

    I know where it is being blocked but I do not want to disable these security features because last time I did, my Mac got so hammered with postimg spam, even in the log-in page where I have to type in my password, so postimg is an absolute 'no go' from my side.
    I am an arrogant, irritating RSole.

  • The Following 2 Users Say Thank You to Uncle Fester For This Useful Post:

    Bigfella237 (27-08-21),wotnot (27-08-21)

  • #12
    Premium Member
    wotnot's Avatar
    Join Date
    Nov 2019
    Posts
    1,710
    Thanks
    712
    Thanked 1,551 Times in 823 Posts
    Rep Power
    701
    Reputation
    31030

    Default

    Quote Originally Posted by Uncle Fester View Post
    Didn't know that I would open such a can of worms with this.

    I know where it is being blocked but I do not want to disable these security features because last time I did, my Mac got so hammered with postimg spam, even in the log-in page where I have to type in my password, so postimg is an absolute 'no go' from my side.
    Oh for sure, whatever that's doing what it is, is probably doing you a favor -- with linux, one tends to get more than a little complacent and rather ambivalent about any malicious software getting in, but with proprietary OS' user needs be careful.

    Different can, same sort of worms

  • The Following User Says Thank You to wotnot For This Useful Post:

    lsemmens (28-08-21)

  • Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •