Outdated vulnerable website - What domain is the real McCoy?

polonus · September 14, 2020, 9:29am

Stumbled upon blacklisted IP here: https://rkn.darkbyte.ru/logs/19102018_1330.htm
Went over IP: http://ipinfolookup.com/37.1.201.235 & https://db-ip.com/37.1.201.198
Performed a VT scan: https://www.virustotal.com/gui/ip-address/37.1.201.198/relations
Stumbled at this series of domains: https://host.io/studmedblank.com
For instance -http://ctudmedblank.com/ cannot be reached…
Found this website to be with outdated software (PHP version): https://sitecheck.sucuri.net/results/https/stydmedblank.com

Checked for recommendation on site improvement: https://webhint.io/scanner/206b6dc9-5af6-4cb7-8cd2-ad24b5501e0c

Retire.js
bootstrap 4.2.1 Found in -https://stydmedblank.com/assets/js/main.min.js
Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
jquery 3.3.1 Found in -https://stydmedblank.com/assets/js/main.min.js
Vulnerability info:
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution 123
Medium CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

DOM-XSS issues: Results from scanning URL: -http://37.1.217.89
Number of sources found: 3
Number of sinks found: 56

Results from scanning URL: -https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
Number of sources found: 32
Number of sinks found: 8

Results from scanning URL: -http://37.1.217.89/assets/js/move-top.js
Number of sources found: 44
Number of sinks found: 2

Results from scanning URL: -http://37.1.217.89/assets/js/move-top.js
Number of sources found: 53
Number of sinks found: 14

Found and blocked tracking from outward link to: -https://mc.yandex.ru/watch/32236844
Also deprecated outdated software detected: fancyBox v2 is deprecated. We encourage all developers to upgrade to fancyBox 3. Re: https://fancyapps.com/fancybox/ jQuery instructions et all.

So rightfully being blacklisted?

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · September 14, 2020, 4:13pm

Another site with security issues and with separate index page: https://sitecheck.sucuri.net/results/dl2.perserver.site
1 red out of 10 score → https://sitereport.netcraft.com/?url=http%3A%2F%2Fdl2.perserver.site
General server vulnerability: https://www.shodan.io/host/130.185.79.172
Site scan: https://urlscan.io/result/0e74ec15-a643-48a7-b8e8-4624f720232e/dom/
JavaScrip error Framework JavaScript…
SyntaxError: Invalid regular expression flags

eval ()() :3:98() Object.c [as F_c] (:2:146)() Object.E_u (:3:267)() la (eval at exec_fn (:1:147), :60:53)() Object.create (eval at exec_fn (:1:147), :71:325)() d (eval at exec_fn (:1:147), :13:89)()

Nginx headers not vulnerable.

Source Oversight:

HTML
-dl2.perserver.site/
7,869 bytes, 50 nodes

Javascript 6 (external 0, inline 6)
INLINE: self[‘tp_UnFAgzJAjQA_func’] = function(frame){ if (frame === null) { co
3,872 bytes

INLINE: self[‘tp_HLRxBXnJscW_func’] = function(frame){ if (frame === null) { co
2,226 bytes

INLINE: self[‘tp_PNAbUGLLYuE_func’] = function(frame){ if (frame === null) { co
2,614 bytes

INLINE: self[‘tp_HEKUmaVMylf_func’] = function(frame){ if (frame === null) { co
2,424 bytes

INLINE: self[‘tp_TdWlLecBbSh_func’] = function(frame){ if (frame === null) { co
5,433 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
34,624 bytes

CSS 4 (external 0, inline 4)
INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
26,787 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
276 bytes INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · September 14, 2020, 10:19pm

Why has this site deny-listed by https://rkn.darkbyte.ru/sites.php

Could it be because on that website this link to -https://cdn.onesignal.com/sdks/OneSignalSDK.js is being blocked for me by uMatrix?

See: https://sitecheck.sucuri.net/results/https/www.sarcasm.co

5 Word Press CMS security issues: Outdated Word Press version.

Outdated plug-ins: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

Plugin Update Status About
wordpress-seo 11.3 Warning latest release (14.9)
https://yoa.st/1uj
td-cloud-library Unknown
onesignal-free-web-push-notifications 1.17.4 Warning latest release (2.1.4)
https://onesignal.com/
wp-quads-pro 1.4.2 Unknown
td-composer Unknown
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

User Enumeration
The first two user ID’s were tested to determine if user enumeration is possible.

Username Name
ID: 1 not found
ID: 2 lavanika Lavanika Roy
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested Status
/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

JavaScript errors:

TypeError: Cannot read property ‘appendChild’ of null
g (:1:615)()
HTMLCanvasElement.c (:1:324)()
HTMLCanvasElement.e.toDataURL (:1:1110)()
/:33 d()
/:33 e()
/:33
/:33

SyntaxError: Invalid regular expression flags
eval ()()
:3:98()
Object.c [as F_c] (:2:146)()
Object.E_u (:3:267)()
la (eval at exec_fn (:1:147), :60:53)()
Object.create (eval at exec_fn (:1:147), :71:325)()
d (eval at exec_fn (:1:147), :13:89)()

Retirable jQuery library:
jquery 1.12.4 Found in -https://www.sarcasm.co/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Outdated vulnerable website - What domain is the real McCoy?

Announcements