Known javascript malware and outdated CMS!

See: https://urlquery.net/report.php?id=1437059772054 (various instances of malware).
WordPress Version
3.4.2
Version does not appear to be latest 4.2.2 - update now. all-in-one-seo-pack latest release (2.2.7.1)
http://semperfiwebdesign.com
nextgen-gallery latest release (2.1.0)
http://www.nextgen-gallery.com
sociable-zyblog-edition latest release (2.0.14)
http://www.zyblog.de/wordpress-plugins/sociable-zyblog-edition/
wp-page-numbers 0.5 latest release (0.5)
http://www.jenst.se/2008/03/29/wp-page-numbers
facebook-likes-you 1.5.4 latest release (1.5.4)
http://wolnaelekcja.pl/wp-facebook-likes-you (last two plug-ins are up o date).

WordPress Theme
The theme has been found by examining the path /wp-content/themes/ theme name /

Digital Statement 1.0http://www.blogohblog.com

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

User ID 1 : Nick Shin
User ID 2 : None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Two malicious files detected:
/feed
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain www.marketingshindig.com
File size[byte]: 103450
File type: ASCII
Page/File MD5: F5F99387D1A23327C2BD07C1DE3FF795
Scan duration[sec]: 0.256000
/wp-content/plugins/nextgen-gallery/xml/media-rss.php
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain www.marketingshindig.com
File size[byte]: 9064
File type: XML
Page/File MD5: 72FD99DBC6FBA0223A7E9CE21D30C605
Scan duration[sec]: 0.019000

Quttera Blacklisted site.

ISSUE DETECTED DEFINITION INFECTED URL
SEO Spam MW:SPAM:SEO?g12 -http://www.marketingshindig.com
SEO Spam MW:SPAM:SEO?g12 -http://www.marketingshindig.com/404testpage4525d2fdc
SEO Spam MW:SPAM:SEO?g12 -http://www.marketingshindig.com/404javascript.js
SEO Spam MW:SPAM:SEO?g12 -http://www.marketingshindig.com/online-marketing-how-to-guide/
SEO Spam MW:SPAM:SEO?g12 -http://www.marketingshindig.com/reviews/
SEO Spam MW:SPAM:SEO?g12 -http://www.marketingshindig.com/marketing-humor/
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12
t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}xViewState();

Should be detected as JS:HideLink-A [Trj] by Avast!

Quite some XSS DOM Vulnerabilities, see: http://www.domxssscanner.com/scan?url=-http%3A%2F%2Fwww.marketingshindig.com%2Fcategory%2Fweb-analytics%2F

e.g.: Results from scanning URL: -http://www.marketingshindig.com/wp-content/plugins/sociable-zyblog-edition/js/description_selection.js
Number of sources found: 38
Number of sinks found: 21

Results from scanning URL:-http://static.ak.fbcdn.net/connect.php/js/FB.Share
Number of sources found: 136
Number of sinks found: 25 (Issue: no support for SSL: https://www.drupal.org/node/1398152 )
Link to: http://lite.piclens.com/current/piclens.js (not in namespace)

polonus (volunteer website security analyst and website error hunter)

Wel,l Avast detected as predicted, we have protection.
The Security Vulnerabilty in the CMS is in NextGEN Gallery[2] plug-in:
https://ithemes.com/2015/03/25/security-vulnerability-found-in-nextgen-gallery-plugin-update-to-2-0-79-immediately/

pol

Another website having this infection and alerted by Avast Webshield as infested with JS:HideLink-A [Trj]:
https://www.virustotal.com/nl/url/42a12a9ba9ee1e67a4359b69f9c4cacbc1bc8a53c823f6c2f53e840022bfb81b/analysis/1437074010/
and file detection: https://www.virustotal.com/nl/file/a9c49195a93f65b907cf36b9c8c5517a5e9e4b9e4fa9957cc89324ae28d59822/analysis/1437018627/
SSUE DETECTED DEFINITION INFECTED URL
SEO Spam MW:SPAM:SEO?g12 htxp://catapultbrands.com
SEO Spam MW:SPAM:SEO?g12 htxp://catapultbrands.com/?page_id=40
SEO Spam MW:SPAM:SEO?g12 htxp://catapultbrands.com/?tag=cbg
SEO Spam MW:SPAM:SEO?g12 htxp://catapultbrands.com/?tag=cbg-tours
SEO Spam MW:SPAM:SEO?g12 htxp://catapultbrands.com/?tag=cruiseops
SEO Spam MW:SPAM:SEO?g12 htxp://catapultbrands.com/?tag=cruiseships
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12
t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}xViewState();

CMS outdated and vulnerable:Web application details:
Application: WordPress 3.9.6 - http://www.wordpress.org

Web application version:
WordPress version: WordPress 3.9.6
Wordpress version from source: 3.9.6
Wordpress Version 3.9.x based on: -http://catapultbrands.com/wp-admin/js/common.js
WordPress theme: -http://catapultbrands.com/wp-content/themes/business-lite/
Wordpress internal path: /home/content/88/8533388/html/catapultbrands/wp-content/themes/business-lite/index.php
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.2

Plug-ins all outdated:
WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

jetpack 2.8.2 latest release (3.6) Update required
http://wordpress.org/plugins/jetpack/
embed-facebook 1.4 latest release (2.0) Update required
http://wordpress.org/plugins/embed-facebook/
s2member 140105 latest release (150311) Update required
http://www.s2member.com/framework/

The vulnerability exists during a TLS renegotiation process Remote MiM attack for
The theme has been found by examining the path /wp-content/themes/ theme name /

Business lite 3.1.35http://cyberchimps.com/businesslite/

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

User ID 1 : admin
User ID 2 : lc6j1e

This should not be there and is dangerous and blocked by Bitdefender’s TrafficLight: /restricted.html?domain=http:%2F%2Fcatapultbrands.com%2Fwp-content%2Fplugins%2Fs2member%2Fs2member-o.php%3Fws_plugin__s2member_js_w_globals=1%26qcABC=1%26ver=140105-607302155&originalURL=1825836744&pip=false&premium=false&client_uid=1759571474&client_ver=4.0.0.354&client_type=IEPlugin&suite=false&aff_id=662-187&locale=nl_nl&ui=1&os_ver=6.3.0.0

This should not be an online available link. Quttera blacklists the website.
This with the client_uid is typical functionality with large attack surface here * where you should have a high privileged server and a low-privileged client - so privilege separation !

polonus

Let us walk through the DOM XSS scanable code there and see the sinks and sources:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcatapultbrands.com
Notable is this one: Results from scanning URL: htxp://catapultbrands.com/wp-content/themes/business-lite/core/library/js/foundation/jquery.reveal.js?ver=3.9.6
Number of sources found: 46
Number of sinks found: 21
and
Results from scanning URL: hxtp://catapultbrands.com/wp-includes/js/jquery/ui/jquery.ui.tabs.min.js?ver=1.10.4
Number of sources found: 8
Number of sinks found: 28

And the code that should be blocked: Results from scanning URL: htxp://catapultbrands.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1&qcABC=1&ver=140105-607302155 *
Number of sources found: 7
Number of sinks found: 1

  • hopefully the client_uid stays the same all the time ;D (see previous posting and why it was restricted by site-advisor etc.)

Why this last one is probably a security risk, read here: http://www.primothemes.com/forums/viewtopic.php?t=1492 link info credits: apmtrdr & smitchell360 and comments from the developer - Jason Caldwell.

polonus (volunteer website security analyst and website error-hunter)

According to netcraft.com catapult.com uses a Linux Server and are hosted by godaddy.com.
I also found 1 CDN tracker (WP Jetpack) and 1 Google widget. This website uses an embedded javascript video player.
catapult.com was first seen on netcraft in May 2005.
http://toolbar.netcraft.com/site_report/?url=catapultbrands.com
http://mxtoolbox.com/SuperTool.aspx?action=mx%3A+ catapultbrands.com&run=toolpage

Using the IP address supplied by netcraft I found 3 blacklists and 9 fails here http://multirbl.valli.org/lookup/184.168.174.1.html

Just for fun I ran a netcraft.com report on godaddy.com http://toolbar.netcraft.com/site_report/?url=godaddy.com

IMHO Netcraft is a useful tool in the toolbox. It’s a great starting point to find out what technologies any website employs.
One of the first checks I do is with netcraft.com. I want to know something about what I’m dealing with.
I do strongly suggest using multiple online scanners to hunt down malicious websites.

Hi Para-Noid,

Agree with you there and good you combined it with the MXToolbox scan results, quite revealing…
I was interested in the reverse DNS Netcraft provided and their risk status of 1 red out of 10.
seems p3nlhg256c1256.shr.prod.phx3.secureserver.net (184.168.174.1) No secure protocols supported!
For the Nameserver look here: https://dev.ssllabs.com/ssltest/analyze.html?d=ns07.domaincontrol.com&latest
According to WOT they are spammers: https://www.mywot.com/en/scorecard/ns07.domaincontrol.com?utm_source=addon&utm_content=rw-viewsc
http://mxtoolbox.com/domain/p3nlhg256c1256.shr.prod.phx3.secureserver.net/
Maybe an Open Relay and SOA Refresh Value is outside of the recommended range.

polonus

Spam history confirmed here http://www.projecthoneypot.org/ip_184.168.174.1
Interesting results here https://securityheaders.com/test-http-headers.php
http://isithacked.com/check/catapultbrands.com
http://www.dnsinspect.com/catapultbrands.com/1437080439

This report has is being clean.
http://dnscheck.pingdom.com/?domain=catapultbrands.com&timestamp=1437080425&view=1
Moral of the story…never, ever rely on just one report!

Hi Para-Noid

Really revealing are these scan results: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcatapultbrands.com%2Fxmlrpc.php
first we read XML-RPC server accepts POST requests only and then the interesting results roll in,
where we go to: htxp://mk.luckbagsoutlet.com/static/js/wojilu.common.js?v=0002 is not banned from Google Adsense, see: http://www.adsenseblockchecker.com/index.php?url=mk.luckbagsoutlet.com
& //assets.pinterest.com/js/pinit.js where hxtp://assets.pinterest.com/js/pinit.js is being blocked by uMatrix.
and this malicious link: htxp://js.users.51.la/17675171.js (that should be blocked)
https://www.virustotal.com/nl/domain/js.users.51.la/information/

Now we are digging on and land at muddy waters…
The next scan comes up with -
-http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
-http://www.car-repo.com/DependencyHandler.axd/c39e7d8dca214a0cd00a79e7f35084a4.35.js
:–http://www.car-repo.com/WebResource.axd?d=Qr1A2c42Z8DxvKQbzvenWNN484C3PONoZ8LGPYpXm883BtOtreO5yaUmzM0qEMvV_elaNv67gpgwZEiuvToKLGxbGY5KCcuH-Sgflkks-MwyTrtwijYrQJMb7T5OtzL8duJ9PT6UBVpbmI_YTeqAGtCcLcu7_27jFjjqwQ2&t=635451973201136697 etc. etc.
A follwing with Results from scanning URL: - -http://www.bestdarnswimcamp.com/Portals/_default/Skins/FlexiWeb/StandardMenu/StandardMenu.js etc.

polonus