system
1
this is what I see when I try to log in on the site of wxw.circleofthemoon.net
is this a worm/trojan/virus and what does it do? Please iniform me so I can warn other people who are trying to log in
Pondus
2
Site is enganged in sending spam, untrusty webreputation status →
http://www.mywot.com/en/scorecard/urlm.co?utm_source=addon&utm_content=popup-donuts
See: http://zulu.zscaler.com/submission/show/b4f2c15ecf896be946921d8abbbdfd94-1374674337
avast! Web Sshield also flags this trojan, JS;Iframe-CSU[Trj] here: http://urlquery.net/report.php?id=3979670
Site has insecure Joomla software: Joomla Version 1.6.x for: htxp://www.circleofthemoon.net//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required, therefore site was also been hacked back in 2010: http://www.zone-h.org/mirror/id/10506661
So something wrong with this site’s security management, alas,
polonus
system
4
thank you!! I will pass it.
edit: the quttera was blocked with the same warning.
Pondus
5
edit: the quttera was blocked with the same warning.
probably because the code avast detect on that site is also on display in the quttera report.
The snort IDS alert 120 boils down to:
Alerts
======
HTTP Inspect used generator ID 119 and 120. HTTP Inspect can generate the
following alerts under generator ID 119:
SID Description
1 ASCII encoding
2 Double decoding attack
3 U encoding
4 Bare byte Unicode encoding
5 Base36 encoding # Deprecated in Snort 2.9.1
6 UTF-8 encoding
7 IIS Unicode codepoint encoding
8 multi-slash encoding
9 IIS backslash evasion
10 self-directory traversal
11 directory traversal
12 Apache whitespace (tab)
13 Non-RFC HTTP delimiter
14 Non-RFC defined char
15 Oversize request-URI directory
16 Oversize chunk encoding
17 Unauthorized proxy use detected
18 Webroot directory traversal
19 Long header
20 Max headers
21 Multiple Content-Length headers
22 Chunk size mismatch
23 Invalid True-IP/XFF Orginal Client IP
24 Multiple Host headers
25 Hostname exceeds 255 characters
27 Chunked encoding - excessive consecutive small chunks
28 Unbounded POST (without Content-Length or Transfer-Encoding: chunked)
29 multiple true IPs in a session
30 both true_client_ip and XFF hdrs present
31 unknown method
32 simple request (HTTP/0.9)
The following alert is generated with generator ID 120:
SID Description
1 Anomalous HTTP server on undefined HTTP port
2 Invalid HTTP response status code
3 No Content-Length or Transfer-Encoding in HTTP response
4 UTF Normalization failure
5 HTTP response has UTF-7 charset
6 HTTP response gzip decompression failed
7 Chunked encoding - excessive consecutive small chunks
8 Invalid Content-Length or chunk size in request or response
9 Javascript obfuscation levels exceeds 1
10 Javascript consecutive whitespaces exceeds max allowed That is the one we can pinpoint here!
11 Multiple encodings within Javascript obfuscated data
info credits go to PioneerAxon on http_inspect rules by Daniel Roelker from Snort-ML.
polonus