Hi kvin,
Please change the https to hxxps, we don’t want people accidentally clicking on the link. Just because it says 404 Not Found, doesn’t mean it hasn’t done anything.
Redirects to >> hxxps://sauronproject.eu/css/kontol.php
Information on the redirect here >> https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Iy5wfWBqZjZ1W1E%3D~enc
I thought maybe kontol was a foreign language (it is!). It means “d**k” in Indonesian, how nice of them. PHP means server side scripts are running.
Your initial link Information.
Blacklist >> https://www.virustotal.com/gui/url/465eb8e6939e2dd96ccd3325e38ed6153ffd25eac51ec938bfb4e9e7a060d339/detection
(404/Clean) >> https://checkphish.ai/insights/url/1572699952726/465eb8e6939e2dd96ccd3325e38ed6153ffd25eac51ec938bfb4e9e7a060d339
Malicious >> https://urlscan.io/result/38b963cc-39b7-47e6-95ad-2047f736779e
Blacklisted >> https://sitecheck.sucuri.net/results/https/d.pr/jf6uiQ
Zulu says “clean”, but imo, the SSL certs mean nothing. Amazon AWS services can be abused as well. >> https://zulu.zscaler.com/submission/65d66509-2e64-4d33-a31e-8ed68cfd3727
*I would actually classify Zulu as “Suspicious”.
The redirect >> https://checkphish.ai/insights/url/1572700393410/56d790352bd40476b2463c31600ae07a14773ef138958b8522579ed994ff4b6a
I scanned the EU website with nmap, which pulled a lot of interesting information.
Port 80, 443 and 8080 are reasonably normal to see HTTP(=-S) on.
nmap also revealed a MySQL DB running on port 3306 - v5.5.55
This isn’t a very secure website, by the way. RCE will give me ability to run commands, and then I can priv esc to root (bad, very bad)
https://www.exploit-db.com/exploits/23073
https://www.exploit-db.com/exploits/40679
I also didn’t expect to find backup files…
8008/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 302 Found
| Location: https://:8010/nice%20ports%2C/Tri%6Eity.txt%2ebak
| Connection: close
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| Content-Security-Policy: frame-ancestors
| GenericLines, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 302 Found
| Location: https://:8010
| Connection: close
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| Content-Security-Policy: frame-ancestors
| GetRequest:
| HTTP/1.1 302 Found
| Location: https://:8010/
| Connection: close
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
|_ Content-Security-Policy: frame-ancestors
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://sauronproject.eu:8010/
I tried grabbing it - FortiGuard got pissed off with me - and I can’t override FortiGuard given my current location (I have no access to this firewall on campus.).
(Note: Anything that says “Web Filter Block Override” means it got blocked by my firewall.)
I would say, yes. It’s malicious. Whether it got anything onto your system is a different story. I would recommend running these scans found here >> https://forum.avast.com/index.php?topic=194892.0
OK, I abused my data on an LTE connection for a minute. Website is refusing connection on 8008 and 8010. It’s odd that it’s public facing though.