Recent example for drupalgedon2 & drupalgedon3 →
Associated url: hxxp://54.39.23.28/1sh
for the 1sh issue read: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/850232/
https://www.webiron.com/file_lookup/2837661bd35755340f4677d8748cf297
You could see there a.o. settings_auto.php being exploited,
see: https://github.com/04x/ICG-AutoExploiterBoT/blob/master/AutoExploit.py
Very important for all admins and users to fully patch and update their website CMS software, themes and plug-ins.
This process is known as Safeguarding.
Sharing a simple scanner for personal use: https://github.com/0x4148/Drupalgeddon2_scanner
polonus (volunteer website security analyst and website error-hunter)
To just explain why php-based CMS websites remain a vulnerability as such, effectively when we see info proliferation
of webserver info - like Apache/2.0.55 Ubuntu mod_ldap_userdir/1.1.11 PHP/4.4.2-1.1 mod_vhost_ldap/1.0.0 ; now given as Apache 2.2.11
Unix, website has jQuery 1.6.2., PHP 4.4.9 - network
hxtp://www.zveno.com Netblock Owner iiNet Limited
Domain zveno.com Nameserver -ns2.iinethosting.net.au
IP address 202.72.184.18 DNS admin pfarmer@iinet.net.au
IPv6 address Not Present Reverse DNS -parking.westnethosting.com.au
Domain registrar distributeit.com.au Nameserver organisation unknown
Organisation Peter Farmer, 24 Cowper Rd, Sorrento, 6020, Australia Hosting company TPG Internet
Top Level Domain Commercial entities (.com) DNS Security Extensions unknown
info Netcraft repoirt , no x-content-type-options header, no x-xss-protection header, no x-frame-options, no CSP,
no cache-control. Reversed address: -parking.webnethosting.com.au
See: https://urlscan.io/result/aa090380-fb74-48f4-b9b3-ea59d1a0584b/
IP address 202.72.184.18 where we get more info via -http://members.iinet.au/~pfarmer
where normally that host cannot be resolved - however extra links, - books on XML htxp://www.amazon.com/exec/obidos/ASIN/0764547607/zvenoxmlspecial -htxp://images.amazon.com/images/P/0764547607.01.TZZZZZZZ.jpg -htxp://www.amazon.com/exec/obidos/ASIN/0764547771/zvenoxmlspecial htxp://images.amazon.com/images/P/0764547771.01.TZZZZZZZ.jpg htxp://www.amazon.com/exec/obidos/ASIN/1565925807/zvenoxmlspecial 1
htxp://images.amazon.com/images/P/1565925807.01.TZZZZZZZ.jpg 1
htxp://www.amazon.com/exec/obidos/ASIN/1884777872/zvenoxmlspecial 1
htxp://images.amazon.com/images/P/1884777872.01.TZZZZZZZ.jpg 1
WESTNET-AS-AP Westnet Internet Services could do a better job of hiding such links from scans.
IP has been reported for PHISHING 10 times, and -zveno.com, seen 6 times in last 30 days.
polonus (volunteer website security analyst and website error-hunter)