IDS alert on Word Press site with insecurity...

polonus · 2017-09-05T16:04:01.000Z

Re: SURICATA TLS invalid record/traffic SURICATA TLS invalid handshake message
Given here: https://urlquery.net/report/cd412a24-e894-4a4f-9603-23f23dc26de3

CMS alerts: WordPress Version
3.6.1
Version does not appear to be latest 4.8.1 - update now.

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 lrem1029 lrem1029
2 None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Reverse DNS:
temp-leahremini.com

No cloaking, no spammy looking links no iframes

F-Grade status: https://securityheaders.io/?q=http%3A%2F%2Fwww.leahremini.com%2F&followRedirects=on
F-Grade-status and recommendation: https://observatory.mozilla.org/analyze.html?host=www.leahremini.com
Insecure TLS
F-status with various recommendations: https://observatory.mozilla.org/analyze.html?host=www.leahremini.com#ssh

Configuration leak: MySQL (3306) 3306 Port open. Server response: J 5.5.23¯¡æi5h0S4GHÿ÷r’i\rGM-9sZImysql_native_password

Sender Policy Framework check Warning SPF record for the domain not found. An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. Mail sent from the servers without SPF record could get into spam folder. DMARC check Warning Domain-based Message Authentication, Reporting and Conformance (DMARC) record not found for the domain. DMARC is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations

Modernity last best practices check only reached a meagre 20% → https://en.internet.nl/site/www.leahremini.com/91993/

C-Grade sec: https://tls.imirhil.fr/https/www.leahremini.com

SRI-hash issues: https://sritest.io/#report/2cd0659a-6d61-485c-9ef5-a176d9766e6d
consider: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.randomhousebooks.com%2Fembeddabook%2Fembeddabook.js

and http://retire.insecurity.today/#!/scan/b32ec77a8afa2d969dfcdd52b69a3d8305b92895667402b2ceee8f6bc0f7590b
(protected from same origin)…

However not flagged as malicious nor suspicious: https://www.virustotal.com/#/url/08504ec2a84e797a440f1599e87cef2a792c83bffd71c919a4fa6eacad2280e1/detection

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-09-05T22:05:24.000Z

ssl/http Apache httpd (PleskLin) - consider: https://blog.rapid7.com/2013/07/10/good-exploits-never-die/
Now let us look at latest best practices score, not much chance with 20% score: https://en.internet.nl/domain/leahremini.com/92059/

→ http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.leahremini.com

Insecure connection - privacy in danger…http://toolbar.netcraft.com/site_report?url=https://www.leahremini.com
Poodle vulnerable…
Self-signed certificate is installed
2 errors
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
The certificate has expired.
The certificate has expired. This server is not secure.
Warnings
RC4
Your server’s encryption settings are vulnerable. This server uses the RC4 cipher algorithm which is not secure. More information.
SSLv3
Your server’s encryption settings are vulnerable. This server uses the SSLv3 protocol, which is not secure. More information.
Root installed on the server.
For best practices, remove the self-signed root from the server.
This server is vulnerable to:
Poodle (SSLv3 protocol)
This server is vulnerable to a Poodle (SSLv3) attack. More information.

Certificate information
Common name:
Parallels Panel
SAN:

Valid from:
2012-Apr-02 22:07:38 GMT
Valid to:
2013-Apr-02 22:07:38 GMT
Certificate status:
Unknown
Revocation check method:
Not available
Organization:
Parallels
Organizational unit:
Parallels Panel
City/locality:
Herndon
State/province:
Virginia
Country:
US
Certificate Transparency:
Not embedded in certificate
Serial number:
4f7a2329
Algorithm type:
SHA1withRSA
Key size:
2048
Certificate chainShow details Parallels Panel Root Certificate
Compare: http://toolbar.netcraft.com/site_report?url=https://www.leahremini.com

polonus (volunteer website security analyst and website error-hunter)

Announcements