Hacked and defaced, vulnerable WordPress and other insecurity.

polonus · 2016-12-16T00:34:24.000Z

Re: http://killmalware.com/jong.es/# & http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fjong.es
F-C-F-X status: https://observatory.mozilla.org/analyze.html?host=ns3.jong.es
OpenSSL Padding Oracle vulnerability detected.
You have 1 error
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
Warnings
RC4
Your server’s encryption settings are vulnerable. This server uses the RC4 cipher algorithm which is not secure. More information.
TLS1.2
This server is vulnerable to a TLS renegotiation attack.

WordPress Version
3.9.14
Version does not appear to be latest 4.7 - update now.

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 None admin
2 None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Vulnerable jQuery libraries in hxtp://jong.es
Detected libraries:
jquery - 1.8.1 : (active1) htxp://www.jong.es/wp-content/themes/beat/js/libs/jquery-1.8.1.min.js?ver=3.9.14
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

polonus (volunteer website security analyst and website error-hunter)

TrueIndian · 2016-12-16T15:17:42.000Z

Hi pol,

This site might be dead.

HTTP Request Header
Connect to 74.80.151.194 on port 80 … ok

GET / HTTP/1.1[CRLF]
Host: jong.es[CRLF]
Connection: close[CRLF]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)[CRLF]
Accept-Encoding: gzip[CRLF]
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7[CRLF]
Cache-Control: no-cache[CRLF]
Accept-Language: de,en;q=0.7,en-us;q=0.3[CRLF]
[CRLF]

Does CRLF sound familiar? This site looks dead
Thanks.
True Indian (TI)

polonus · 2016-12-16T15:27:34.000Z

Site is up but do not visit it as it may have gay image smut content - fingerprinting going on after hacker page disappears.
and Blocked 11 potential HTML canvas fingerprinting attempts on this page
Prevented a script on htxp://www.jong.es from capturing the following 32px × 32px canvas (via getImageData):
Prevented a script on htxp://www.jong.es from capturing the following 31px × 32px canvas (via getImageData):
Prevented a script on htxp://www.jong.es from capturing the following 31px × 32px canvas (via getImageData):
Prevented a script on htxp://www.jong.es from capturing the following 579px × 368px canvas (via getImageData): etc.

http://toolbar.netcraft.com/site_report?url=http://www.jong.es

But there is indeed another account suspended on named IP: http://pagediscover.com/www/jelqingexercises.net.html

zium info on -jong.es: http://zium.co/jong.es

polonus

Eddy · 2016-12-16T15:30:07.000Z

CRLF = Carriage Return Line Feed

It refers to the old typewriters.
Carriage with the print head at the end of a line (or at the most right position that the machine allows), bringing it back to the left of the machine and scroll the paper 1 line up so the next line can be typed.
With later typewriters it was the platen the was in the most left position and had to be brought back to the most right position with a carriage return lever.

It is not always noticeable, but I had typing lessons as a kid ;D

TrueIndian · 2016-12-16T15:34:15.000Z

Actually the CRLF in the HTTP header isn’t bad.Its a normal ping response.

TrueIndian · 2016-12-17T16:53:14.000Z

Here is a interesting gmail fraud site:
http://urlquery.net/report.php?id=1481993011742

HTML data has no flags:
https://virustotal.com/en/file/19010fb58887a61cf66325a373940dcac2b7f9437f5281c734d37ebe433928dc/analysis/1481993271/

Is this being detected?
http://zulu.zscaler.com/submission/show/cb01dfac123f05a422add481bf5679e7-1481993568

http://killmalware.com/secured-pdfpage.com/invoice/login.php

Announcements