Unknown_html_RFI_shell flagged here on this Ghosted site: https://www.virustotal.com/nl/url/7683bc3a026c751f567de3d5aba597a094d1f0becaa6d04352bc1f73df9f39d7/analysis/1412754987/ (not found, given at MX-VW archives)
Sucuri finds nothing wrong with site: http://sitecheck.sucuri.net/results/tfrstudio.blogspot.com
Quttera kicks up a potentially suspicious file:
www.blogger.com/static/v1/widgets/2271878333-widgets.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘%26tran=%26npn=1%26=%26=%26=%26=%26=%26=%26#falsefontFamilyfontFamily=%26true=%26=%26=%26I=%26true=%26=%26=%26=%26=%26I=%26=%26=%26=%26=%26=%26=%26=%26=%26=’]] of length 104 which may point to obfuscation or shellcode.
Threat dump: View bottom of http://jsunpack.jeek.org/?report=555158e20bf5f942c0f14233b47d09c8606a06ce
Threat dump MD5: 8F29EF73A1D7DCC46A744FDA44397451
File size[byte]: 90737
File type: ASCII
Page/File MD5: C854B114DE8AA773046F868953C7018A
Scan duration[sec]: 6.909000
HTTP Header Security is reasonable with warnings for:
- X-Frame-Options does not appear to be found in the site’s HTTP header, increasing the likelihood of successful clickjacking attacks.
- Strict-Transport-Security does not appear to be found in the site’s HTTP header, so browsers will not try to access your pages over SSL first.
- We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site’s HTTP header, making XSS attacks more likely to succeed.
- Server: was found in this site’s HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site!
- Permitted-Cross-Domain-Policies does not appear to be found in the site’s HTTP header, so it’s possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files…
See: http://vnseo.com/tfrstudio.blogspot.com
XSS attack -Is there any risk letting users define inner.HTML? → wXw.blogger.com/static/v1/widgets/2271878333-widgets.js
IP badness history: https://www.virustotal.com/nl/ip-address/74.125.136.132/information/
|_http-generator: ERROR: Script execution failed (use -d to debug)
polonus
polonus