holpo
October 9, 2014, 2:52pm
1
Yes avast! user you cannot go without the avast! shields.
avast detects JS:Includer-BCL[Trj} here:Trojans detected:
Object: htxp://tidaholmsgf.se/
SHA1: 0dcb9e897e7f74cf0f3094d9e8efe38183fb845b
Name: TrojWare.JS.Redirector.AON
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware mwjs-iframe-injected530?v19 htxp://tidaholmsgf.se
Website Malware mwjs-iframe-injected530?v19 htxp://tidaholmsgf.se/404javascript.js
See attached.
pol
holpo
October 9, 2014, 3:29pm
2
avast! detects as JS:Clickjack-A[Trj] here: http://sitecheck.sucuri.net/results/bimbelalumniaceh.com
and missed completely here: http://zulu.zscaler.com/submission/show/eb4ae2d332ee0ac230ce360617b988e0-1412867802
Trojans detected:
Object: htxp://bimbelalumniaceh.com/index.php?id=24
SHA1: 3f6c985eb2e2e8af4b2d96d521cd8062489f78b9
Name: TrojWare.JS.Agent.caa
DOM XSS sources and sinks detected for htxp://bimbelalumniaceh.com/index.php?id=24
Number of sources found: 13
Number of sinks found: 147
Well and therefore a SPAM:SEO Clickjack Infestation.
pol
holpo
October 10, 2014, 3:29pm
3
See: Trojans detected:
Object: htxp://purefiji.pl/q/filled.php
SHA1: 0b258e45ab937e53961a89c0fed04282b5fe40ca
Name: TrojWare.JS.Redirector.ft
avast! Webshield detects as HTML:RedirME-inf[Trj]
Detected:
<meta http-equiv="refresh" content="2; url=hxtp://com-xf37.net/rwjz.php?a=314759&c=wl_con&s=09 ">
ISSUE DETECTED DEFINITION VULNERABLE HEADER
Outdated Joomla Found Security Announcements Joomla under 2.5.26 or 3.3.5
Quttera gives it as clean, see for content domain: http://whois.domaintools.com/com-xf37.net
GET /tuf.php?a=314759&c=wl_con&s=09 HTTP/1.1
Host: com-xf37 dot net
GET /tuf.php?a=314759&c=wl_con&s=09 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/ ;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
China
AS58879 Shanghai Anchang Network Security Technology Co.,Ltd. 118.193.162.43
HTTP/1.0 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Server: nginx
Date: Thu, 09 Oct 2014 15:55:59 GMT
Content-Length: 0
Set-Cookie: AFFID=314759; expires=Sat, 08-Nov-2014 15:48:12 GMT; path=/; domain=.com-xf37.net SID=09; expires=Sat, 08-Nov-2014 15:48:12 GMT; path=/; domain=.com-xf37 dot net
Location: htxp://diet.com-xf37.net/intnmq/garcinianmq/
Connection: keep-alive
→ htxp://diet.com-xf37.net/intnmq/garcinianmq/js/close.js
syntax erros → http://jsunpack.jeek.org/?report=2b3dd78b0c9223d807345d34e501696b0fee8eb6
For security researchers, open with NoScript active and in a VM.
pol
P.S. Website is running IdeaWebServer/v0.80 with outdated Joomla is vulnerable to JS:Redicrector-ZK[Trj] malware.
D
holpo
October 13, 2014, 2:40pm
4
avast! Webshield detects JS:Includer-BBV[Trj] here: https://www.virustotal.com/nl/url/78e665aa395373aadbddc8686f5f5f932a4fa394fe57513d96550822f40bc00b/analysis/1413210090/
and this is confirmed here: https://www.virustotal.com/nl/file/060d6d4f575a169f5f3984e6778626957606e0fbba145bdd612622780a712bb0/analysis/1413156382/
Quttera and yandex blacklisted: http://yandex.com/infected?l10n=en&url=universalkungfu.com
Ma;ware flagged by Sucuri’s"
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware mwjs-iframe-injected691?v24 htxp://universalkungfu.com
Website Malware mwjs-iframe-injected691?v24 htxp://universalkungfu.com/index.html
Website Malware mwjs-iframe-injected691?v24 htxp://universalkungfu.com/dojazd.html
Website Malware mwjs-iframe-injected691?v24 htxp://universalkungfu.com/system.html
Website Malware mwjs-iframe-injected691?v24 htxp://universalkungfu.com/artykuly.html
Website Malware mwjs-iframe-injected691?v24 htxp://universalkungfu.com/aktualnosci.html
Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-iframe-injected691?v24
XSS vulnerable: Results from scanning URL: htxp://jamolandia.com
Number of sources found: 5
Number of sinks found: 483
Results from scanning URL: htxp://jamolandia.com/media/system/js/caption.js
Number of sources found: 5
Number of sinks found: 12
Results from scanning URL: htxp://jamolandia.com/media/system/js/mootools-more.js
Number of sources found: 65
Number of sinks found: 13
Results from scanning URL: htxp://jamolandia.com/templates/smart_news25/js/yt-script.js
Number of sources found: 92
Number of sinks found: 5
Results from scanning URL: htxp://jamolandia.com/templates/smart_news25/menusys/class/mega/assets/megalib.js
Number of sources found: 40
Number of sinks found: 13
Results from scanning URL: htxp://jamolandia.com/modules/mod_sj_news_ajax_tabs/assets/js/jsmart.ajaxtabs.js
Number of sources found: 17
Number of sinks found: 7
Results from scanning URL: htxp://jamolandia.com/media/system/js/validate.js
Number of sources found: 9
Number of sinks found: 7
Best protection against these possible cross-site-scripting vulnerabilities would be the use of prepared statements.
The basic idea behind this is that the query and the data are sent to the server separately.
polonus