SURICATA DNS Unsolicited response - Internal IP alert...

polonus · 2017-08-10T21:21:31.000Z

VT does not flag website: https://virustotal.com/#/url/815adff5c11580b62dd8ef8b4f4e0fb582ce135dbb34309c1d4886d7e23b401d/detection

Re: https://urlquery.net/report/64f8cd13-0f1b-40e0-81b3-d4de7dee25e7

dns prefetch from see: http://toolbar.netcraft.com/site_report?url=http://api-idx.diversesolutions.com
See: https://certificate.revocationcheck.com/http:/api-idx.diversesolutions.com →
“We can’t download CRLs from internal servers”.

Last-Modified header is not the same as ThisUpdate (RFC 5019, section 6.2)
Expires cache header not set (RFC 5019, section 6.2)
The Cache-Control max-age header outlives NextUpdate with 1m14s

Outdated Word Press version 4.7.5 Plug-ins: The following plugins were detected by reading the HTML source of the WordPress sites front page.

revslider
dsidxpress 2.1.43 latest release (2.4.1) Update required
http://www.dsidxpress.com/
short-tax-post
js_composer
testimonialslider 2.9.6 latest release (2.9.5)
http://www.
contact-form-7 4.6.1 latest release (4.8.1) Update required
https://contactform7.com/
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 vastaffer_rxn8e3gn vastaffer_rxn8e3gn
2 Service Service
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Here for - -http://api-idx.diversesolutions.com/combo-css?config=dsidxpress-pro no reverse DNS
Would be interesting to know what is behind all mentioned anomalities…with internal IPs…

→ https://asafaweb.com/Scan?Url=api-idx.diversesolutions.com error-Fail, two warnings.

Issues: https://www.dnsinspect.com/shaunafogal.com/10175279
Reverse DNS ns528515.ip-142-4-215.net ; iad23s43-in-f10.1e100.net ; iad23s59-in-f10.1e100.net ; xx-fbcdn-shv-01-iad3.fbcdn.net …

3 vuln. libraries: http://retire.insecurity.today/#!/scan/bea1ea5e011e9e3e1bd5faf8f3e2917c147995c528334cfbe3c43556bebea9c4

4 issues: https://sritest.io/#report/7c9e4d98-0388-45ff-a693-3522ea432f27

F-status and recommendations: https://observatory.mozilla.org/analyze.html?host=shaunafogal.com

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-08-13T21:05:35.000Z

Another such an alert here: https://urlquery.net/report/b298a798-b897-46b5-9143-4fab6dd2cdd9

Read: https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-June/004991.html
Re: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=pmc-rostock.de&ref_sel=GSP2&ua_sel=ff&fs=1
Re: F-Grade → https://observatory.mozilla.org/analyze.html?host=www.pmc-rostock.de
-https://www.pmc-rostock.de
Detected libraries:
jquery-migrate - 1.4.1 : -https://www.pmc-rostock.de/media/jui/js/jquery-migrate.min.js?efc7f7b8b0596ae4eca6b86733b65a1a
jquery - 1.12.4 : (active1) -https://www.pmc-rostock.de/media/jui/js/jquery.min.js?efc7f7b8b0596ae4eca6b86733b65a1a
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-08-26T20:19:35.000Z

Another website with such an alert: -breckle-direktverkauf.de/ → https://urlquery.net/report/1117058e-f610-41e9-b9da-51da54258faf
See DNS MX issues: https://threatintelligenceplatform.com/report/breckle-direktverkauf.de/JnGihV8qjN
F-Grade status and recommended change: https://observatory.mozilla.org/analyze.html?host=breckle-direktverkauf.de
redirecting to -http://www.osterburgmatratzen.de/
1 vuln. libarary: http://retire.insecurity.today/#!/scan/2d7f11fe4fa2c647d8a2523422825778090a04c233dc5aa1b1989bbd9ecdb934
Also consider IDS alerts: http://urlquery.net/report/d0c77fe1-b155-43cc-8a8b-39712139d283
Also consider sources and sinks here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbreckle-direktverkauf.de
Read: https://github.com/jquery/jquery/issues/2432
Same origin upheld but issues resulting in a B-Grade scan result: https://sritest.io/#report/e588fc78-dc4c-4e6f-916f-e365e6093ad1

Error

found JavaScript
error: undefined variable jQuery
error: undefined function t

inside: wXw.osterburgmatratzen.de/wp-content/plugins/yith-woocommerce-compare/assets/js/jquery.colorbox-min.js?ver=1.4.21

As errors in the theme code

ound JavaScript
error: undefined variable jQuery
error: undefined variable f.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var f.fn = 1;
error: line:1: …^

inside: wXw.osterburgmatratzen.de/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=5.4.5.1 (110418 bytes, 48 hidden)

polonus (volunteer website security analyst and website error-hunter)

Announcements