Insecure WordPress site with fake jQuery malcode known infection source...

polonus · 2017-06-02T20:49:54.000Z

Outdated WordPress: WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress under 4.7.5

Re the 2 known vulnerable jQuery libraries: http://retire.insecurity.today/#!/scan/e97050f5fff547ade9fb1f604c285cea720b8e28d339f64f8b5d6138c88cfdaa
Re: Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Here we see it is an intentional infection source, as this is neatly sri-hashed: https://sritest.io/#report/a323551a-bdda-4808-9bde-c2bcc3180170

See: http://urlquery.net/report.php?id=1496433045694

Tracking links: -tracking.revimedia.com Halliburton Company United States

-tracking.petpremium.com Amazon.com United States

42 instances of known javascript malware given : https://sitecheck.sucuri.net/results/www.petinsurancereviews.net
see:
https://quttera.com/detailed_report/www.petinsurancereviews.net

polonus

polonus · 2017-06-02T21:38:45.000Z

More revealing even are these two scans on this alleged CyrusOne abuse.

First we see where two malicious sites are being contacted as reported by Google’s: https://urlscan.io/result/d28120bb-8d43-416c-94a6-c7f7e0fe78c6#summary

And DOM_XSS sources and sinks: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.petinsurancereviews.net
where we detected the above uri to be scanned: -http://www.petinsurancereviews.net/xmlrpc.php

Some of the php we may come accross : comment-template.php; comment.php; compat.php; cron.php (Unrestricted Cron Script webapp exploit, as was used on Magento); default-constants.php ; default-filters.php ; default-widgets.php ;deprecated.php ;
embed-template.php ; embed.php etc. etc. → functions.wp-scripts.php ; functions.wp-styles.php ;
general-template.php … where code can be injected into images and other php exploits could be performed.

polonus (volunteer website security analyst and website error-hunter)

Announcements