Tests and other Media topics

See what malware sites were being reported to URLhaus lately: https://urlhaus.abuse.ch/browse/
Before being taken down by providers, some stay active for over a week and can infect a great many devices with malware.

In the case of Chinese malware sites, Chinese providers are known to react rather slow, some malcode may stay on for over a month. They shouldn’t be that lax. Domination on malware is not a thing to be proud of.

URLhaus with 256 researchers over the last 10 month achieved to have a 100.000 websites being taken down.

polonus

polonus · January 22, 2019, 4:56pm

Example of such a blacklisted site been taken down: https://urlhaus.abuse.ch/url/107430/
See: Web Server:
None
X-Powered-By:
None
IP Address:
69.90.66.40
Hosting Provider:
Cogeco Peer 1 → https://www.privacyshield.gov/participant?id=a2zt0000000TNvtAAG&status=Active
Shared Hosting:
3 sites found on 69.90.66.40

Clean-up needed: https://sitecheck.sucuri.net/results/tekacars.com/wp-content

Re: http://69.90.66.40/cgi-sys/defaultwebpage.cgi not secure.

polonus

polonus · January 25, 2019, 4:54pm

Stumbled upon this scam tester: https://www.scamner.com/latest
Could be checked also against scams at https://www.urlvoid.com/
and here: https://www.siteprice.org/tools/AdultWebsiteChecker.aspx

enjoy my friends, enjoy

polonus

polonus · February 3, 2019, 5:57pm

Quite a selection of website scanners:
https://keystonesolutions.io/solutions/lookup-potentially-malicious-websites/
to look up potentially malicious websites.

Example looked up on PHISHCheck from here: wXw.hannahsartistcorner.com → https://www.threatminer.org/domain.php?q=www.hannahsartistcorner.com delivering result

{“sid”: 177823, “is_success”: true}

Google Safebrowsing alerts for such sites like htxps://uprisefest.com/images/account/index.php with a security error,
which is being reported to PHISHTank.
100% given as malicious here: https://zulu.zscaler.com/submission/9067b9f4-3f64-46e4-8200-a2bfe3262741

polonus

polonus · February 4, 2019, 11:10pm

Different days for first time detections, are they being reported independantly?

Re: https://urlhaus.abuse.ch/url/117199/ & https://otx.alienvault.com/indicator/domain/vektorex.com
Also see external sources given there…

Our forum friend, Pondus, always being very accurate on the most recent VT results. Thank you, Pondus.

Here they’d come up with ‘three days ago’: https://www.virustotal.com/nl/file/199a431e655b6890e3641cda8a98cdaa5c9e4c79303aa734f1ad05eb7ba6b01c/analysis/1549019095/

and this was only yesterday: https://www.virustotal.com/nl/domain/vektorex.com/information/

polonus

polonus · February 14, 2019, 8:38pm

Hole in Word Press plug-ins.
A listing of vulnerable plug-ins from various resources:
https://firstsiteguide.com/tools/free-fsg/hacked-dangerous-vulnerable-wordpress-plugins/#bad_plugins

To get recommendations and tipts to improve websites, scan: https://webhint.io/scanner/ & https://webscan.upguard.com/

Specifically for a quick and dirty on Word Press CMS: https://hackertarget.com/wordpress-security-scan/

Or use retire.js as a Google Chrome/Brave 1.0/ extension: https://chrome.google.com/webstore/detail/retirejs/moibopkbhjceeedibkbkbchbjnkadmom

polonus (volunteer website security analyst and website error-hunter)

polonus · February 15, 2019, 5:39pm

Background of malware injecting script IP: https://urlquery.net/report/c843e000-63ab-4175-8cd4-864427eeabc3
See: https://www.virustotal.com/fr/url/dab0812fe89ebcac05a3f37cbad6effaa06802bf91b00535ae789f8d05096aa2/analysis/1528944320/
and https://www.polaris64.net/blog/cyber-security/2017/wordpress-hacks-jquery-js-script-injection
and https://otx.alienvault.com/indicator/ip/134.249.116.78
and https://cymon.io/134.249.116.78
and https://malwarebreakdown.com/2017/04/18/hacked-sites-redirecting-users-to-various-malvertising-campaigns/
How to find the backdoor: https://wordpress.stackexchange.com/questions/256050/how-to-find-the-backdoor-of-the-hack
Re: https://www.ip-finder.me/134.249.116.78/ Your IP 172.69.54.30 has been blacklisted!
and https://www.quicksilk.com/blog/1/checkpoint-10000-hacked-wordpress-sites
and https://productforums.google.com/forum/#!topic/webmasters/02BijAFd9n4
check: https://services.normshield.com/blacklist/ip/134.249.116.78

polonus

polonus · February 21, 2019, 7:05pm

Resources for vulnerabilities. Example outdated vulnerable Word Press plug-in:
https://publicwww.com/websites/wp-pagenavi+2.92/

wp-pagenavi 2.92 latest release (2.93) Update required
https://lesterchan.net/portfolio/programming/php/

polonus

polonus · February 26, 2019, 10:51pm

Handy online tool for the javascript analyst (use with discern and always play nice):.

A good online deobfuscator of javascript: https://www.dcode.fr/javascript-unobfuscator
Proof of the pudding - “probieren geht ueber studieren”:

Some harmless obfuscated code like wp-embed.min.js?ver=4.9.9

var _0x9024=[“\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74”,“\x4D\x53\x49\x45\x20\x31\x30”,“\x69\x6E\x64\x65\x78\x4F\x66”,“\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E”,“\x6D\x61\x74\x63\x68”,“\x75\x73\x65\x72\x41\x67\x65\x6E\x74”,“\x69\x66\x72\x61\x6D\x65\x2E\x77\x70\x2D\x65\x6D\x62\x65\x64\x64\x65\x64\x2D\x63\x6F\x6E\x74\x65\x6E\x74”,“\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C”,“\x6C\x65\x6E\x67\x74\x68”,“\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74”,“\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65”,“\x73\x75\x62\x73\x74\x72”,“\x72\x61\x6E\x64\x6F\x6D”,“\x73\x72\x63”,“\x23\x3F\x73\x65\x63\x72\x65\x74\x3D”,“\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65”,“\x63\x6C\x6F\x6E\x65\x4E\x6F\x64\x65”,“\x73\x65\x63\x75\x72\x69\x74\x79”,“\x72\x65\x6D\x6F\x76\x65\x41\x74\x74\x72\x69\x62\x75\x74\x65”,“\x72\x65\x70\x6C\x61\x63\x65\x43\x68\x69\x6C\x64”,“\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65”,“\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72”,“\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72”,“\x77\x70”,“\x72\x65\x63\x65\x69\x76\x65\x45\x6D\x62\x65\x64\x4D\x65\x73\x73\x61\x67\x65”,“\x64\x61\x74\x61”,“\x73\x65\x63\x72\x65\x74”,“\x6D\x65\x73\x73\x61\x67\x65”,“\x76\x61\x6C\x75\x65”,“\x74\x65\x73\x74”,“\x69\x66\x72\x61\x6D\x65\x5B\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74\x3D\x22”,“\x22\x5D”,“\x62\x6C\x6F\x63\x6B\x71\x75\x6F\x74\x65\x5B\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74\x3D\x22”,“\x64\x69\x73\x70\x6C\x61\x79”,“\x73\x74\x79\x6C\x65”,“\x6E\x6F\x6E\x65”,“\x73\x6F\x75\x72\x63\x65”,“\x63\x6F\x6E\x74\x65\x6E\x74\x57\x69\x6E\x64\x6F\x77”,“\x68\x65\x69\x67\x68\x74”,“\x6C\x69\x6E\x6B”,“\x61”,“\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74”,“\x68\x72\x65\x66”,“\x68\x6F\x73\x74”,“\x61\x63\x74\x69\x76\x65\x45\x6C\x65\x6D\x65\x6E\x74”,“\x6C\x6F\x63\x61\x74\x69\x6F\x6E”,“\x74\x6F\x70”,“\x44\x4F\x4D\x43\x6F\x6E\x74\x65\x6E\x74\x4C\x6F\x61\x64\x65\x64”,“\x6C\x6F\x61\x64”];!function(_0x9312x1,_0x9312x2){_0x9024[0];function _0x9312x3(){if(!_0x9312x9){_0x9312x9= !0;var _0x9312x1,_0x9312x3,_0x9312x4,_0x9312x5,_0x9312x6=-1!== navigator[_0x9024[3]]_0x9024[2],_0x9312x7=!!navigator[_0x9024[5]]_0x9024[4],_0x9312x8=_0x9312x2_0x9024[7];for(_0x9312x3= 0;_0x9312x3< _0x9312x8[_0x9024[8]];_0x9312x3++){if(_0x9312x4= _0x9312x8[_0x9312x3],!_0x9312x4_0x9024[10]){_0x9312x5= Math_0x9024[12].toString(36)_0x9024[11],_0x9312x4[_0x9024[13]]+= _0x9024[14]+ _0x9312x5,_0x9312x4_0x9024[15]};if(_0x9312x6|| _0x9312x7){_0x9312x1= _0x9312x4_0x9024[16],_0x9312x1_0x9024[18],_0x9312x4[_0x9024[20]]_0x9024[19]}}}}var _0x9312x4=!1,_0x9312x9=!1;if(_0x9312x2[_0x9024[21]]){if(_0x9312x1[_0x9024[22]]){_0x9312x4= !0}};if(_0x9312x1[_0x9024[23]]= _0x9312x1[_0x9024[23]]|| {},!_0x9312x1[_0x9024[23]][_0x9024[24]]){if(_0x9312x1[_0x9024[23]][_0x9024[24]]= function(_0x9312x3){var _0x9312x4=_0x9312x3[_0x9024[25]];if(_0x9312x4){if(_0x9312x4[_0x9024[26]]|| _0x9312x4[_0x9024[27]]|| _0x9312x4[_0x9024[28]]){if(!/[^a-zA-Z0-9]/_0x9024[29]){var _0x9312x9,_0x9312x5,_0x9312x6,_0x9312x7,_0x9312x8,_0x9312xa=_0x9312x2[_0x9024[7]](_0x9024[30]+ _0x9312x4[_0x9024[26]]+ _0x9024[31]),_0x9312xb=_0x9312x2[_0x9024[7]](_0x9024[32]+ _0x9312x4[_0x9024[26]]+ _0x9024[31]);for(_0x9312x9= 0;_0x9312x9< _0x9312xb[_0x9024[8]];_0x9312x9++){_0x9312xb[_0x9312x9][_0x9024[34]][_0x9024[33]]= _0x9024[35]};for(_0x9312x9= 0;_0x9312x9< _0x9312xa[_0x9024[8]];_0x9312x9++){if(_0x9312x5= _0x9312xa[_0x9312x9],_0x9312x3[_0x9024[36]]=== _0x9312x5[_0x9024[37]]){if(_0x9312x5_0x9024[18],_0x9024[38]=== _0x9312x4[_0x9024[27]]){if(_0x9312x6= parseInt(_0x9312x4[_0x9024[28]],10),_0x9312x6> 1e3){_0x9312x6= 1e3}else {if(~~_0x9312x6< 200){_0x9312x6= 200}};_0x9312x5[_0x9024[38]]= _0x9312x6};if(_0x9024[39]=== _0x9312x4[_0x9024[27]]){if(_0x9312x7= _0x9312x2_0x9024[41],_0x9312x8= _0x9312x2_0x9024[41],_0x9312x7[_0x9024[42]]= _0x9312x5_0x9024[10],_0x9312x8[_0x9024[42]]= _0x9312x4[_0x9024[28]],_0x9312x8[_0x9024[43]]=== _0x9312x7[_0x9024[43]]){if(_0x9312x2[_0x9024[44]]=== _0x9312x5){_0x9312x1[_0x9024[46]][_0x9024[45]][_0x9024[42]]= _0x9312x4[_0x9024[28]]}}}}else {;}}}}}},_0x9312x4){_0x9312x1_0x9024[22],_0x9312x2_0x9024[22],_0x9312x1_0x9024[22]}}}(window,document)

original code that came out, result

‘use strict’;
var _0x9024 = [“use strict”, “MSIE 10”, “indexOf”, “appVersion”, “match”, “userAgent”, “iframe.wp-embedded-content”, “querySelectorAll”, “length”, “data-secret”, “getAttribute”, “substr”, “random”, “src”, “#?secret=”, “setAttribute”, “cloneNode”, “security”, “removeAttribute”, “replaceChild”, “parentNode”, “querySelector”, “addEventListener”, “wp”, “receiveEmbedMessage”, “data”, “secret”, “message”, “value”, “test”, ‘iframe[data-secret="’, ‘"]’, ‘blockquote[data-secret="’, “display”, “style”, “none”,
“source”, “contentWindow”, “height”, “link”, “a”, “createElement”, “href”, “host”, “activeElement”, “location”, “top”, “DOMContentLoaded”, “load”];
!function(_0x9312x1$jscomp$0, _0x9312x2$jscomp$0) {
function _0x9312x3$jscomp$0() {
if (!_0x9312x9$jscomp$0) {
_0x9312x9$jscomp$0 = true;
var _0x9312x1$jscomp$1;
var _0x9312x3$jscomp$1;
var _0x9312x4$jscomp$1;
var _0x9312x5$jscomp$0;
var _0x9312x6$jscomp$0 = -1 !== navigator[_0x9024[3]]_0x9024[2];
var _0x9312x7$jscomp$0 = !!navigator[_0x9024[5]]_0x9024[4];
var _0x9312x8$jscomp$0 = _0x9312x2$jscomp$0_0x9024[7];
_0x9312x3$jscomp$1 = 0;
for (; _0x9312x3$jscomp$1 < _0x9312x8$jscomp$0[_0x9024[8]]; _0x9312x3$jscomp$1++) {
if (_0x9312x4$jscomp$1 = _0x9312x8$jscomp$0[_0x9312x3$jscomp$1], !_0x9312x4$jscomp$1_0x9024[10]) {
_0x9312x5$jscomp$0 = Math_0x9024[12].toString(36)[_0x9024[11]](2, 10);
_0x9312x4$jscomp$1[_0x9024[13]] += _0x9024[14] + _0x9312x5$jscomp$0;
_0x9312x4$jscomp$1[_0x9024[15]](_0x9024[9], _0x9312x5$jscomp$0);
}
if (_0x9312x6$jscomp$0 || _0x9312x7$jscomp$0) {
_0x9312x1$jscomp$1 = _0x9312x4$jscomp$1_0x9024[16];
_0x9312x1$jscomp$1_0x9024[18];
_0x9312x4$jscomp$1[_0x9024[20]][_0x9024[19]](_0x9312x1$jscomp$1, _0x9312x4$jscomp$1);
}
}
}
}
_0x9024[0];
var _0x9312x4$jscomp$0 = false;
var _0x9312x9$jscomp$0 = false;
if (_0x9312x2$jscomp$0[_0x9024[21]]) {
if (_0x9312x1$jscomp$0[_0x9024[22]]) {
_0x9312x4$jscomp$0 = true;
}
}
if (_0x9312x1$jscomp$0[_0x9024[23]] = _0x9312x1$jscomp$0[_0x9024[23]] || {}, !_0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]]) {
if (_0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]] = function(_0x9312x3$jscomp$2) {
var _0x9312x4$jscomp$2 = _0x9312x3$jscomp$2[_0x9024[25]];
if (_0x9312x4$jscomp$2) {
if (_0x9312x4$jscomp$2[_0x9024[26]] || _0x9312x4$jscomp$2[_0x9024[27]] || _0x9312x4$jscomp$2[_0x9024[28]]) {
if (!/[^a-zA-Z0-9]/_0x9024[29]) {
var _0x9312x9$jscomp$1;
var _0x9312x5$jscomp$1;
var _0x9312x6$jscomp$1;
var _0x9312x7$jscomp$1;
var _0x9312x8$jscomp$1;
var _0x9312xa$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[30] + _0x9312x4$jscomp$2[_0x9024[26]] + _0x9024[31]);
var _0x9312xb$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[32] + _0x9312x4$jscomp$2[_0x9024[26]] + _0x9024[31]);
_0x9312x9$jscomp$1 = 0;
for (; _0x9312x9$jscomp$1 < _0x9312xb$jscomp$0[_0x9024[8]]; _0x9312x9$jscomp$1++) {
_0x9312xb$jscomp$0[_0x9312x9$jscomp$1][_0x9024[34]][_0x9024[33]] = _0x9024[35];
}
_0x9312x9$jscomp$1 = 0;
for (; _0x9312x9$jscomp$1 < _0x9312xa$jscomp$0[_0x9024[8]]; _0x9312x9$jscomp$1++) {
if (_0x9312x5$jscomp$1 = _0x9312xa$jscomp$0[_0x9312x9$jscomp$1], _0x9312x3$jscomp$2[_0x9024[36]] === _0x9312x5$jscomp$1[_0x9024[37]]) {
if (_0x9312x5$jscomp$1_0x9024[18], _0x9024[38] === _0x9312x4$jscomp$2[_0x9024[27]]) {
if (_0x9312x6$jscomp$1 = parseInt(_0x9312x4$jscomp$2[_0x9024[28]], 10), _0x9312x6$jscomp$1 > 1e3) {
_0x9312x6$jscomp$1 = 1e3;
} else {
if (~~_0x9312x6$jscomp$1 < 200) {
_0x9312x6$jscomp$1 = 200;
}
}
_0x9312x5$jscomp$1[_0x9024[38]] = _0x9312x6$jscomp$1;
}
if (_0x9024[39] === _0x9312x4$jscomp$2[_0x9024[27]]) {
if (_0x9312x7$jscomp$1 = _0x9312x2$jscomp$0_0x9024[41], _0x9312x8$jscomp$1 = _0x9312x2$jscomp$0_0x9024[41], _0x9312x7$jscomp$1[_0x9024[42]] = _0x9312x5$jscomp$1_0x9024[10], _0x9312x8$jscomp$1[_0x9024[42]] = _0x9312x4$jscomp$2[_0x9024[28]], _0x9312x8$jscomp$1[_0x9024[43]] === _0x9312x7$jscomp$1[_0x9024[43]]) {
if (_0x9312x2$jscomp$0[_0x9024[44]] === _0x9312x5$jscomp$1) {
_0x9312x1$jscomp$0[_0x9024[46]][_0x9024[45]][_0x9024[42]] = _0x9312x4$jscomp$2[_0x9024[28]];
}
}
}
} else {
}
}
}
}
}
}, _0x9312x4$jscomp$0) {
_0x9312x1$jscomp$0[_0x9024[22]](_0x9024[27], _0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]], false);
_0x9312x2$jscomp$0[_0x9024[22]](_0x9024[47], _0x9312x3$jscomp$0, false);
_0x9312x1$jscomp$0[_0x9024[22]](_0x9024[48], _0x9312x3$jscomp$0, false);
}
}
}(window, document);

Also a good read for researchers of bad code: http://relentless-coding.org/projects/jsdetox/samples
Project: https://javadeobfuscator.com/

polonus

polonus · February 27, 2019, 11:25pm

Do a connection test: http://conn.internet.nl/connection/

and a good DNS domain check site: https://www.uptrends.com/de/tools/dns

polonus

polonus · February 28, 2019, 3:06pm

Spectre is going to haunt us for some considerable time: https://arxiv.org/abs/1902.05178

Is your browser vulnerable to Spectre?

Check online: https://xlab.tencent.com/special/spectre/spectre_check.html

According to their checking my browser, it is NOT vulnerable to Spectre

polonus · March 2, 2019, 4:21pm

Checking a URLHaus flagged IP, like this one: https://urlhaus.abuse.ch/url/149963/
Interesting information at shodan’s, about ports, services, vulnerabilities:
https://www.shodan.io/host/157.230.214.179
Via additional insights we landed here: https://viz.greynoise.io/ip/157.230.214.179

Name Category Intention Confidence First Seen Last Updated ZMAP_CLIENT tool Null high 2019-02-26 2019-02-26 SSH_SCANNER_LOW activity Null low 2019-02-26 2019-02-26 TELNET_SCANNER_HIGH activity Null high 2019-02-23 2019-02-23 TELNET_BRUTEFORCER worm malicious high 2019-02-18 2019-02-23 TELNET_BRUTEFORCER worm malicious high 2019-02-18 2019-02-18 TELNET_SCANNER_HIGH activity Null high 2019-02-18 2019-02-18 TELNET_WORM_HIGH worm malicious high 2019-02-11 2019-02-12 TELNET_SCANNER_HIGH activity Null high 2019-02-11 2019-02-12 ZMAP_CLIENT tool Null high 2019-02-11 2019-02-11

See security issues: https://webscan.upguard.com/#/http://157.230.214.179/bins/apep.x86
(5) Susceptible to man-in-the-middle attacks
Server information header exposed
Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the ‘server’ header.
EXPECTED:
[does not contain version number]
FOUND:
Apache/2.2.15 (CentOS)

Unnecessary open ports
File sharing ports open
Administration ports open
Database ports open

4 recommendations for improvement: https://webhint.io/scanner/78d6da89-0627-4623-b8ec-791b36e0cb5e
This low number of issues could lead to the assumption website was specifically created to abuse…

Unable to connect here: https://observatory.mozilla.org/analyze/157.230.214.179#ssh
Also consider this info: https://dazzlepod.com/ip/?ip_address=http%3A%2F%2F157.230.214.179 *
and this: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTU3LjIzMC4yMTQuMTc5~enc

Finally the VT results: Kaspersky detect: https://www.virustotal.com/#/url/8ae84bf6f178a29649f2aaf6d00e5382783921d1b2b40acd6f5fbdb64f089833/detection
Avast detects here: https://www.virustotal.com/#/file/d221870a49a0ab336dfa7d9387add53443e0a6a8ca4c0b6851830fb9d7652bfa/detection

IP scan downloaded files: https://www.virustotal.com/#/ip-address/157.230.214.179

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

All info from scans like these cannot and should not be used against the particular websites in question, this is offensive conduct.

Damian

polonus · March 2, 2019, 4:32pm

Dr.Web Security Space does not flag it…

Here it is not listed: Checking: -http://157.230.214.179/bins/apep.x86
Engine version: 7.0.34.11020
Total virus-finding records: 7513830
File size: 83.06 KB
File MD5: 3802fd9b541c4711d683408def246be2

-http://157.230.214.179/bins/apep.x86 - Ok (So actually Not OK).

Also checked here:

IP Address Information
Analysis Date 2019-03-02 11:30:42
Elapsed Time 4 seconds
Blacklist Status BLACKLISTED 7/114
IP Address 157.230.214.179 Find Sites | IP Whois
Reverse DNS Unknown
ASN AS14061
ASN Owner DigitalOcean, LLC
ISP Digital Ocean
Continent North America
Country Code Flag (US) United States
Latitude / Longitude 40.7185 / -74.0025 Google Map
City New York
Region New York
IP Blacklist Report
Engine Help
BlockedServersRBL More info
CBL_AbuseAt More info
MegaRBL More info
S5hbl More info
SURBL More info
AlienVault Reputation More info
IPSpamList More info Bold have it flagged…
Anti-Attacks BL More info
AntiSpam_by_CleanTalk More info
Autoshun More info
Backscatterer More info
BadIPs More info
Bambenek Consulting More info
Barracuda_Reputation_B… More info
BBcan177 (pfBlockerNG) More info
BinaryDefense Ban List More info
Blacklists_co More info
Blocklist.net.ua More info
BlockList_de More info
BloggingFusion BL More info
BlogSpamBL More info
Bogons_Team_Cymru More info
Booru BL More info
Botvrij.eu More info
Brute Force Blocker More info
Bytefarm_ch IP BL More info
C-APT-ure More info
CERT.gov.ge More info
CERT-PA More info
Charles Haley More info
CI Army List More info
CSpace Hostings IP BL More info
Cybercrime-tracker.net More info
CyberCure More info
Darklist.de More info
DataPlane.org More info
DNSBL_AbuseCH More info
DroneBL More info
EFnet_RBL More info
EmergingThreats More info
Ens160 SSH BL More info
Etnetera BL More info
Feodo Tracker More info
FSpamList More info
GPF DNS Block List More info
GreenSnow Blocklist More info
ImproWare Antispam More info
InterServer IP List More info
IPSum More info
Ip-finder.me More info
JustSpam_org More info
LAPPS Grid Blacklist More info
LashBack UBL More info
Log.Onoh.Info More info
Malc0de More info
MalwareDomainList More info
Matapala_org FW Log More info
MaxMind High Risk IPs More info
MKXT_NET SSH BL More info
Migniot SSH Bullies More info
Ms-ds-violation-ips More info
Myip.ms Blacklist More info
NEU SSH Black list More info
NiX_Spam More info
NoIntegrity BL More info
NordSpam More info
NoThink.org More info
Olegon Blocked IPs More info
Organized Villainy Sea… More info
Peter-s NUUG IP BL More info
PlonkatronixBL More info
PhishTank More info
Pofon_foobar_hu More info
ProjectHoneypot More info
PSBL More info
Ransomware Tracker More info
Redstout Threat IP lis… More info
Reuteras Scanning List… More info
Roquesor BL More info
Rutgers Drop List More info
S.S.S.H.I.A More info
SANYALnet Labs Mirai I… More info
Sblam More info
Scientific_Spam_BL More info
SCUMWARE More info
Shinmura BL More info
Snort IPFilter More info
SORBS More info
SpamCop More info
SpamEatingMonkeyBL More info
SpamRATS More info
SpyEye Tracker More info
SSL Blacklist More info
St Dominics Priory Col… More info
Stefan Gofferje More info
StopForumSpam More info
Suomispam_RBL More info
Swinog_DNSRBL More info
Taichung Education Cen… More info
TalosIntel IPFilter More info
Threat Crowd More info
Threat Sourcing More info
ThreatLog More info
Turris Greylist More info
URIBL More info
URLVir More info
USTC IP BL More info
VirBL More info
VXVault More info
WebIron_RBL More info
Websworld.org More info
WPBL More info
ZeuS Tracker More info
Xtream Codes BL More info

pol

polonus · March 9, 2019, 11:34pm

Two interesting chrome extensions I run inside Brave browser:
Javascript Errors Notifier
also check code by opening page in Browser with developer tools via Ctrl+Shift+I
Detected on this sitehttps://www.ninefornews.nl/
Re: ReferenceError: st_go is not defined
/:4181

Also work Retire.Js extension and on same page it flagged: jquery 1.8.3 Found in https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
Vulnerability info:
Medium CVE-2012-6708 11290 Selector interpreted as HTML
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
all as retirable jQuery library.

Javascript could be at the root of a lot of malcode trouble, so check and doublecheck always,
especially when developing websites and maintaining websites.

Double check at: jquery 1.8.3 Found in https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
Vulnerability info:
Medium CVE-2012-6708 11290 Selector interpreted as HTML 123
Medium 2432 3rd party CORS request may execute CVE-2015-9251 1234
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers

and also at the security part of the webhint scanner: https://webhint.io/scanner/
or validate here: https://codebeautify.org/jsvalidate

Good hunt, javascript de-buggers,

polonus (volunteer 3rd party cold reconnaissance website security analyzer and webite error-hunter)

P.S. Added is a txt file of messages and alerts in the developer’s console for a shodan page,
just skim over the contents.

Tests and other Media topics

Announcements