Mediocre website security on this website...

Viruses and worms
1

See: https://sitecheck.sucuri.net/results/https/we.snu.ac.kr (Medium Security Risk detected).
Given as clean here: https://www.virustotal.com/gui/url/731e58821611733144abdd14bd31cba6e6d95168e91ba53596cce405569c7828/detection

SSL related issues: https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=we.snu.ac.kr
The remote name could not be resolved: ‘we.snu.ac.kr’

See known vulnerabilities here: https://www.shodan.io/host/147.47.106.230
Retirable jQuery library: Retire.js

jquery 1.4.4 Found in -https://we.snu.ac.kr/common/js/jquery.js
Vulnerability info:
Medium CVE-2011-4969 XSS with location.hash
Medium CVE-2012-6708 11290 Selector interpreted as HTML
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

46 requests not being blocked.
Security header set: cache-control - no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Host only attribute set for PHPSESSID

CRI →

Javascript 24 (external 17, inline 7)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

-we.snu.ac.kr/common/js/​jquery.js
-we.snu.ac.kr/common/js/​x.js
-we.snu.ac.kr/common/js/​common.js
-we.snu.ac.kr/common/js/​js_app.js
-we.snu.ac.kr/common/js/​xml_handler.js
-we.snu.ac.kr/common/js/​xml_js_filter.js
-we.snu.ac.kr/layouts/xe_official/js/​xe_official.js
-we.snu.ac.kr/widgets/login_info/skins/xe_official/js/​login.js
-we.snu.ac.kr/widgets/content/skins/default/js/​content_widget.js
-we.snu.ac.kr/addons/guest_name/​guest_name.js
INLINE: //<![CDATA[ var current_url = “-https://we.snu.ac.kr/”; var reque
337 bytes

INLINE: var captchaTargetAct = new Array(“procBoardInsertDocument”,"procBoardInsertComm
176 bytes

INLINE: //
34 bytes

INLINE: var keep_signed_msg = "브라우저를 닫더라도 로그인이 계속 유지될 수 있습니다.\n\n로그인 유지 기능을 사용할 경우
255 bytes

INLINE: xAddEventListener(window, “load”, function(){ doFocusUserId(“fo_login_widget”
87 bytes

INLINE: displayMultimedia("./widgets/counter_status/skins/styx_flash/counter.sw
135 bytes

-we.snu.ac.kr/addons/captcha/​captcha.js
-we.snu.ac.kr/addons/autolink/​autolink.js
-we.snu.ac.kr/common/js/plugins/ui/​jquery-ui.packed.js
-we.snu.ac.kr/common/js/plugins/ui/​jquery.ui.datepicker-ko.js
-we.snu.ac.kr/addons/resize_image/js/​resize_image.min.js
-we.snu.ac.kr/files/cache/js_filter_compiled/​de04d67622d22d071c3271e5a90b2565.ko.compiled.js
-we.snu.ac.kr/files/cache/js_filter_compiled/​bf06b6c5e487f19606a654b3d9bc1434.ko.compiled.js
ONCLICK: /* button.onclick = */ doChangeLangType(‘en’);return false;
59 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘zh-CN’);return false;
62 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘jp’);return false;
59 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘es’);return false;
59 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘ru’);return false;
59 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘fr’);return false;
59 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘zh-TW’);return false;
62 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘vi’);return false;
59 bytes

ONCLICK: /* button.onclick = */ doChangeLangType(‘mn’);return false;
59 bytes

ONCLICK: /* input#keepid.onclick = */ if(this.checked) return confirm(keep_signed_msg);
78 bytes

CSS 13 (external 11, inline 2)
-we.snu.ac.kr/common/css/​default.css
INJECTED

-we.snu.ac.kr/common/css/​button.css
INJECTED

-we.snu.ac.kr/common/js/plugins/ui/​jquery-ui.css
INJECTED

-we.snu.ac.kr/layouts/xe_official/css/​white.css
INJECTED

-we.snu.ac.kr/modules/editor/styles/default/​style.css
INJECTED

-we.snu.ac.kr/widgets/login_info/skins/xe_official/css/​white.css
INJECTED

-we.snu.ac.kr/widgets/webzine/skins/snu_notice_widget/css/​normal.css
INJECTED

-we.snu.ac.kr/widgetstyles/simpleSquare/css/​widgetBoxStyle.css
INJECTED

-we.snu.ac.kr/widgets/content/skins/default/css/​widget.css
INJECTED

-we.snu.ac.kr/widgetstyles/line/css/​widgetBoxStyle.css
INJECTED

-we.snu.ac.kr/files/faceOff/824/157/​layout.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

INLINE: @font-face { font-family: ‘NanumSquareRound’; src: url('-https://cdn.jsdelivr.ne
238 bytes INJECTED

262 recommendations towards improvement: https://webhint.io/scanner/482155ae-dfe7-44cb-a864-a8bd852b4503

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

2

Another one: https://urlscan.io/result/a878ac34-cbc2-4f73-a9ea-fd5f568b9c75/
Consider: https://webhint.io/scanner/5c4f779c-92c1-424b-a98f-cdeb0a87eec9
and https://webcookies.org/cookies/www.jbrcapital1.net/30633998?300063
see vulnerabilities here: https://www.shodan.io/host/217.199.161.56
has Microsoft IIS, headers - 7.5 not vulnerable… Netcraft Risk rating 1.
On hoster: https://sitereport.netcraft.com/?url=http://338469.vps-10.com

polonus

3

Here a Word Press website with three issues as far as configuration settings flagged;
OK here follows a “quick and dirty”:

User Enumeration

The first two user ID’s were tested to determine if user enumeration is possible.

Username Name
ID: 1 admin admin
ID: 2 johnlash John Lash
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory Indexing

In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested Status
/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Checked javascript resources: JS Link Hosting / Company Netblock Country
-https://grahamhancock.com/s/js/?f=home.js&ver=5.4.2 ASN-GIGENET
-https://grahamhancock.com/wp-includes/js/wp-embed.min.js?ver=5.4.2 ASN-GIGENET
-https://grahamhancock.com/wp-includes/js/jquery/ui/effect.min.js?ver=1.11.4 ASN-GIGENET
-https://grahamhancock.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 ASN-GIGENET
-https://grahamhancock.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp ASN-GIGENET

213 hints towards website improvement: https://webhint.io/scanner/215870b8-33c2-4b39-91bf-5fadcf546cf2

jQuery - retirable library detected:
jquery 1.12.4 Found in -https://grahamhancock.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

But has another jQuery library: Results from DOM-XSS scanning
URL: -https://grahamhancock.com/s/js/?f=home.js&ver=5.4.2
Number of sources found: 41
Number of sinks found: 17

Dedicated server found, what is a good thing: https://www.shodan.io/host/199.168.117.67
B-status: https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=grahamhancock.com

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

4

Hello, my site is blocked because of URL:phishing.

The site is valuerecoverysolutions [ . ] com

Can anyone help me identify why? And remove from the block if nothing is wrong?

5

Hi jon.goldman,

It is just avast that shares this detection with GData: https://www.virustotal.com/gui/url/9573c3a131c1e9c72f3c140d75587c7a1b784605353a223e15e3583fcd4ccf29/detection
Here your website is being given the all green: https://sitecheck.sucuri.net/results/valuerecoverysolutions.com
Also consider: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LnZ8bHV7fXteXXZ7fXlzXWx1dFtdbnMuXl1tYA%3D%3D~enc

The detection is probably IP related, see: https://www.abuseipdb.com/check/185.230.60.211

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock,
we here are just volunteers with acquired knowledge in the field of website security analysis.

Also report a potential FP here: http://www.avast.com/contact-form.php?loadStyles

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)