Insecurity in scripts on IDS alerted ET CNC Shadowserver Reported CnC Server

See: http://urlquery.net/report/936bdd5b-c647-4bd0-895d-52eb499110cb
Checked for retirable code libraries:
BINGO: http://retire.insecurity.today/#!/scan/c2b3034b033c483fe654feafd771592eac8be1f0646c5b5a444c8a166f200ff0
Error in code:

-rubab-trading.site/ext/jquery/ui/jquery-ui-1.10.4.min.js benign
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function e.extend
error: undefined variable e
Render as a block rather than a page.

Also found link errors: FILE##jquery-ui-1.10.4.min.js 268 application/javascript
DEADLINK##/ext/jquery/ui/=h&&(null===o?l[a]=h:(c.mod&&(h-o>c.mod/2?o+=c.mod:o-h>c.mod/2&&(o-=c.mod
DEADLINK##/ext/jquery/ui/=h&&(null===o (no sanitization taking place: read: https://snyk.io/vuln/npm:jquery-ui:20160721 )
XSS in dialog

Consequences thereof: Results from scanning URL: -http://rubab-trading.site/ext/jquery/ui/jquery-ui-1.10.4.min.js
Number of sources found: 290
Number of sinks found: 14
What could be DOM-XSS abused manipulating UI elements? Consider:

this.options.value=this._values(this.options.values.length-1),this.options.values=null)),t.isArray(this.options.values)&&(n=this.options.values.length),t.Widget.prototype._setOption.apply(this,arguments),e){case"orientation":this._detectOrientation(),this.element.removeClass("ui-slider-horizontal ui-slider-vertical").addClass("ui-slider-

Loader.php should be tested also - for instance: bidndeal/loader.php?js=js/jquery.js;js/jquery.lightbox.js;
error

bidndeal/loader.php?js=js/jquery.js;js/
info: [decodingLevel=0] found JavaScript
error: undefined function n.getElementsByTagName
error: undefined variable n

polonus (volunteer website security analyst & website error-hunter)

P.S. Also three warnings here: https://asafaweb.com/Scan?Url=rubab-trading.site
PHP vuln: X-Powered-By: PHP/5.6.32, PleskLin exploitable.

D

Seen to these reults in the above mentioned ASafaWeb scan: HTTP only cookies: Warning

Requested URL: hxtp://rubab-trading.site/ | Response URL: hxtp://rubab-trading.site/ | Page title: Rubab Trading | HTTP status code: 200 (OK) | Response size: 17,510 bytes (gzip’d) | Duration: 1,762 ms
Overview
Cookies not flagged as “HttpOnly” may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the “HttpOnly” flag is missing it is due to oversight rather than by design.

Result
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):

osCsid : lk2toesk8d3rrqlr4ah6u98ek0
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

This brought me to scan also here: https://privacyscore.org/site/36724/
where we found that the website did not direct the user to the secure HTTPS version and is not using HSTS.
Lucky13 attack vulnerabilty detected, and various security headers not being set.

polonus