

I wonder if they were infected with something that was exploiting that CVE?
Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?
One way or another, the server that hosts a resource can track who is requesting what. You as the server owner can just as easily track who is accessing what, but if you avoid using a CDN, then it limits the tracker to just yourself. The cost is that you’ll have increased traffic, and there is always the suspicion that you may have tampered with the
lightbox.js
file to do something malicious.On the self include side, the instructions you linked seem pretty straightforward, so it should be possible to use it that way. What is issue your facing?