Need a Friend's Blog Checked

Chim · 2017-04-17T03:27:38.000Z

A friend of mine told me that when she logs in into one of her Blogs with her cellphone, she gets some message / Security Warning. I barely e-mailed her inquiring as to whether she gets the same results if she logs in via her computer or not. It’ll probably be tomorrow or later before she gets back to me.

But, in the meantime I checked out her Blog’s URL — hxxp://siempredesdelejos.blogspot.com.ar/ with VirusTotal. It came out totally CLEAN. However, I then checked it out with Unmask Parasites and it comes out as SUSPICIOUS. Apparently 1 Suspicious Inline Script found and 8 Hidden External Links found. :o

The syntax of the info provided at Unmask Parasites regarding my friend’s Blog is beyond my scope of understanding. Can someone decipher what’s going on with her Blog … or even use something better that will provide a more understandable verdict? You know … given that Unmask Parasites has been in Beta for several forevers and may not even be being maintained anymore.

In the e-mail that I sent my friend, I told her that MAYBE the problem could be something as simple as just her using an outdated browser on her cellphone. Until I saw the Unmask Parasites results.

Insight?

Eddy · 2017-04-17T06:18:28.000Z

Virustotal does not scan sites.

Redirect to external server. Really bad practice :
https://www.websicherheit.at/website-malware-viren-scanner/?url=siempredesdelejos.blogspot.com.ar

Huge amount of blacklistings and malicious downloads on that IP :
https://www.virustotal.com/en/ip-address/74.125.129.132/information/
http://urlquery.net/report.php?id=1492408893816

Vulnerable library used :
http://retire.insecurity.today/#!/scan/653ad0726bea7009361e275b141b8d438dff9d24713e88a04ac80b9ee53bcabc

Link to blacklisted domain and suspicious files :
https://quttera.com/detailed_report/siempredesdelejos.blogspot.com.ar

Chim · 2017-04-17T17:33:50.000Z

Wooooooo! Information overload. :o Not sure where to go, what to do with all of this. I had hoped to be able to tell my friend something like — this, this, this, that and that are bad. You need to remove them. But, instead, I have no idea to what specifically the suspiciousness and general badness discovered in her Blog is pointing to.

In other words, from what I can tell, on the surface, her Blog SEEMS harmless. Just a bunch of images and links to more images and poetry. Yet in the report in your 2nd link, it appears that I guess … her Blog is supposed to be some Mecca Nexus Grand Central Park of Nefariousness! :o Just exactly where is all this activity hidden? Just exactly where are all these “downloads” from her Blog supposed to be taking place from? I’m seriously missing something here.

Is her Blog hacked, infected or something? As in something NOT of her doing? Or could the nefariousness be hidden away perhaps in the 3rd party code that she uses in her Blog template to incorporate this & that function or effect in her Blog’s design? Cuz yeah, she HAS always loved to shoehorn in a plethora of color, images, functions and effects in her Blog’s design and functionality. So I guess it IS quite possible that one or more of the Gadgets or 3rd party code that she’s using is safeness-challenged. :o

Okay, question: In that 2nd link that you posted, the one with the VirusTotal IP Address information … that is supposed to be of her Blog? Why does the location indicate US if she’s from Argentina? I’d sure like to know how and why all that stuff that was supposedly found in her Blog as downloads or whatever … is happening.

I don’t actually go to that Blog of hers at all since it’s not her main Blog. But, from what I saw, her main Blog also yielded very similar results with Unmask Parasites. The only difference was her main Blog had only 6 Hidden External Links found instead of eight. If it’s a danger being around in her main Blog, I’d sure like to know. I’ve never had any problems before. Never had my computer infected by visiting her main Blog. Heck, my computer doesn’t get infected period.

Pondus · 2017-04-17T18:10:50.000Z

A friend of mine told me that when she logs in into one of her Blogs with her cellphone, she gets some message / Security Warning.

It would probably help those investigating what that message say and what program that give that message

Chim · 2017-04-17T20:25:09.000Z

I got a brief reply from my friend. She said she was going to look into that possibility that I told her about … about whether she was using the absolute latest version of her browser on her cellphone. She’ll then get back to me as to whether that remotely got rid of the Security Warning problem.

Pondus, I just finished e-mailing my friend and asked her to send me a screen capture of that Security Warning that she’s gotten. It’ll most assuredly be in Spanish, but I’ll translate it if and when she sends it to me.

Chim · 2017-04-17T20:29:22.000Z

BTW, Eddy, if VirusTotal does not scan sites, what is the function, the usefulness of the URL Scan Tab in VirusTotal?

DavidR · 2017-04-17T20:33:40.000Z

Chim post:6:

BTW, Eddy, if VirusTotal does not scan sites, what is the function, the usefulness of the URL Scan Tab in VirusTotal?

It basically checks blacklists and isn’t doing a live scan of any site.

Pondus · 2017-04-17T21:22:42.000Z

Chim post:6:

BTW, Eddy, if VirusTotal does not scan sites, what is the function, the usefulness of the URL Scan Tab in VirusTotal?

As said, VT is checking URLs against a number of blacklists

If you want to scan it for infections (after VT URL check) click on “additional information” tab, scroll down and click on Sucuri and/or Quttera link, URL will then be scanned for infections

Eddy · 2017-04-17T21:36:39.000Z

http://www.ache.nl/ > scans and tests
I have several links there to sites that do scan sites.

polonus · 2017-04-17T22:23:02.000Z

Hi Chim,

Eddy just tries to put forward, why that site has insecurities, has misconfiguraties, has outdated and vulnerable code on it.
Not everybody is able to mitigate such a website with insecurity that may come to it being compromised later or blocked.

Look for someone with relevant knowledge to make the site a good deal better and more secure.

Look here for more inconsistency: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=siempredesdelejos.blogspot.com.ar&ref_sel=GSP2&ua_sel=ff&fs=1

Certificate Expired: http://www.ssltools.com/?url=https://siempredesdelejos.blogspot.com.ar
This certificate expired 19 days ago. That is something you can mitigate, else the site may come sedo-parked.

polonus (volunteer website security analyst and website error-hunter)

Chim · 2017-04-17T23:33:04.000Z

Polonus, you may have just hit the nail on the head … at least certainly with SOME of the problem.

I just received 2 screen caps from my friend. I have attached them. They ARE in Spanish as I figured they’d be. I have translated them.

Screen Cap #1 Translation:
Security Warning

There are some problems with the security certificate of this website.

Screen Cap #2 Translation:
Security Certificate

The name of the website does not coincide with the name of the certificate.

Issued for:
Common name:
*giffy.me

Organization:
Hatsuhiyo

Organizational unit:

Serial number:
00:C5:CD:52:97:61:66:95:35

There you have it. Now I don’t know anything about Security Certificates, but … does “Hatsuhiyo” sound right? Why does that sound out of place considering that she’s from Argentina? And what the frigg does giffy.me have to do with anything? Or does this possibly have something to do NOT with her Blog … but, with some IMAGE or GIF somewhere in her Blog?

Chim · 2017-04-17T23:46:02.000Z

Thanks for your clarification on the VirusTotal URL Tab, David.

Thanks for the heads up on the availability and function of Sucuri and Quttera, Pondus.
I took the liberty of scanning my Blog with those 2 sites and it received a Clean status from both. Whew! I was a little worried. ;D

However, I guess there MUST be something not completely clean at my friend’s Blog because while hers got a Clean status from Sucuri … it FAILED the Quttera scan, just like Eddy had pointed out. Although I didn’t manage to figure out how to display all the mega details that Eddy provided.

Chim · 2017-04-17T23:57:41.000Z

Thanks for that Ache link, Eddy. I bookmarked it.

Eddy · 2017-04-18T06:34:28.000Z

Although the domain end with AR, it doesn’t mean the server where the site is hosted is in Argentina.

polonus · 2017-04-18T08:45:26.000Z

Probabably hosted in the USA and registered by Nicar. → http://whois.domaintools.com/blogspot.com.ar
See: http://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fsiempredesdelejos.blogspot.com.ar
Here I get an error not found: http://toolbar.netcraft.com/site_report?url=dg-in-f132.1e100.net
nX-Frame-Option
SF:s:\x20SAMEORIGIN\r\n\r\n\n\n\x20\x20 nginx…

polonus

Chim · 2017-04-18T20:35:01.000Z

Ssss SO, bottom line, is there anything in all of that info that remotely points specifically to what my friend has to do or remove to get rid of the security warnings?

I’m still hoping it turns out to be a simple case of her cellphone having an outdated browser. But, I probably shouldn’t bet on that being the case.

Announcements