Read: https://urlhaus.abuse.ch/host/21-carat.com/ … OVH France abuse…
XSS-DOM - Results from scanning URL: -http://21-carat.com
Results from scanning URL: -https://21-carat.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Malware tags: Online/doc/emotet/ext/epoch3/heodo ext
Not detected here: https://sitecheck.sucuri.net/results/https/21-carat.com
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
polonus
October 20, 2020, 11:05pm
2
L.S.
When checking that site’s IP for fraud risk, we get a high fraud risk of 32 https://scamalytics.com/ip/51.91.236.193
At VT we find 2 solutions to detect this IP:https://www.virustotal.com/gui/ip-address/51.91.236.193/detection
And at https://www.virustotal.com/gui/ip-address/51.91.236.193/relations
polonus
polonus
October 20, 2020, 11:16pm
3
This is what you get going there:https://docs.ovh.com/gb/en/hosting/web_hosting_error_-_website_not_installed/
HTML
Javascript 5 (external 0, inline 5)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
INLINE: Object.defineProperty(screen, “availTop”, { value: 0 }); Object.defineProperty(s
INLINE: var utcDate = new Date(new Date().getTime()).toISOString();
CSS 2 (external 1, inline 1)
INLINE: @media print {#ghostery-purple-box {display:none !important}}
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
polonus
October 22, 2020, 11:49am
4
In case of the following malware-(emotet)spreading Word Press website, which is being blacklisted,
See reported website: https://urlhaus.abuse.ch/url/734220/
SERVER DETAILS
Web Server:
LiteSpeed
IP Address:
45.252.248.20
Hosting Provider:
AZDIGI-AS-VN AZDIGI Corporation, VN
Shared Hosting:
500 sites found (use Reverse IP to download list)
Title:
Index of /wp-includes/ No configuration setting issues, but [b]directory listing enabled.[/b]
path = /wp-includes/Overview/ct5u1XXXXXhbd/">ct5uXXXXXwhbd 22-Oct-2020 10:55 - which is kicking up that malware -> and Spamhouse and Trustwave detect:
https://www.virustotal.com/gui/url/be6ee9e4ecdf9e8d6f0daea6fa70f4c5493e6d40a0f83a63ad9de0fc4902a0fc/detection
10 detected files with this IP address:https://www.virustotal.com/gui/ip-address/45.252.248.20/relations https://www.shodan.io/host/45.252.248.20
Malware link also opens up to URL: -https://i5cdnimg-a.akamaihd.net/ media /js/min.js?v2.2
avascript 6 (external 0, inline 6)
INLINE: // Catch errors if signal is already set by user agent or other extensi...
402 bytes
INLINE: // Catch errors if signal is already set by user agent or other extensi…
INLINE: try { Object.defineProperty(screen, “availTop”, { value:
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete…
INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
INLINE: try { Object.defineProperty(screen, “availTop”, { value:
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
polonus
October 22, 2020, 12:29pm
5
This one is also not found up by the main scan engines:https://sitecheck.sucuri.net/results/mulherdealtaperformance.com.br
Same sort of malware spreader, this: -mulherdealtaperformance.com.br/https://urlhaus.abuse.ch/host/mulherdealtaperformance.com.br/
polonus
polonus
October 23, 2020, 10:43am
6
Then this one opening up on …/bins/ Parent Directory on vulnerable web server - Apache/2.2.15 (CentOS) Server at moon.leasevps dot com Port 80 infesting with ddos, elf & mirai.
See: https://urlhaus.abuse.ch/url/739437/
polonus