Check on IP for abuse…
Check IP for being a scam, random example: https://scamalytics.com/ip/194.33.61.33
while not having a bad rep here: https://ipremoval.sms.symantec.com/ipr/lookup
Blocklists: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/palo-alto-networks-malicious-ip-address-feeds
Deny-kist look-up: https://apility.io/search/194.33.61.33
Enjoy, my good friends, enjoy,
polonus
L.S.
In this way we can also establish the % of found abuse on Tor-exit-nodes:
Check scamalytics.com/ip & apility.io/search/ & https://www.cyren.com/security-center/cyren-ip-reputation-check
& https://cleantalk.org/blacklists/78.46.73.176 (random example - blacklisted there)
against https://www.dan.me.uk/tornodes & https://www.bigdatacloud.com/insights/tor-exit-nodes
hourly updates: https://github.com/SecOps-Institute/Tor-IP-Addresses
% vary from 1 % (Hong-Kong, Singapore) to medium risk of under 45% of existing abuse.
also the web reputation of hosters/AS of such IPs should be taken into account here.
polonus
Blocked by Trace - tracking blocking extension = -https://static.addtoany.com/*
blocked url-path = -hxtps://static.addtoany.com/menu/page.js
blocked host URL = -static.addtoany dot com
blocked root domain = addtoany dot com
→ https://cookiepedia.co.uk/host/.addtoany.com
Another resource has server problems at the moment and kicks up an 500 application error: https://webcookies.org/cookies/
polonus
Exploring info on a particular abuse IP: https://vulners.com/rst/RST:7CCC9BB6-0041-3A45-A211-8EBD315AF89F
This because of abuse mentioned here, a malware download reported:
https://urlhaus.abuse.ch/url/660405/
After 5 days re-analyzed and now 35 engines will detect this Mirai/elf/Mozi malcode: https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef/detection
Also see: https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef/relations
See new reports: https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef/community
Also consider: https://scamalytics.com/ip/118.172.176.41 - on host: https://urlhaus.abuse.ch/host/118.172.176.41/
Re: https://www.shodan.io/host/118.172.176.41 - no third party dependencies preventing
More particulars: https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
Re: https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt
polonus
More threat IP info resources:
Starting here: https://blackip.ustc.edu.cn/sshrawlist.php?ip=37.49.226.220
Also: https://www.abuseipdb.com/check/37.49.226.220
and further historical records for that specific IP:
→ https://urlhaus.abuse.ch/url/372420/
→ https://badpackets.net/botnet-c2-detections/
listed also here: https://www.abuseat.org/iotcc.txt
medium fraud score of 11 given here: https://scamalytics.com/ip/37.49.226.220
polonus
We should scan for retirable (vulnerable or left) jQuery libraries using the Retire.JS extension or online here:
https://retire.insecurity.today/# (both from Erlend Oftedal)
A similar procedure should now also be undertaken for node.js also by Retire.JS because of malicious npm-packages that could open up a reverse shell like: plutov-slack-client, nodetest1010 en nodetest199 & npmpubman.
See: https://www.npmjs.com/snyk & http://snyk.github.io/docs/nodejs/
and https://developers.redhat.com/blog/2017/04/12/using-snyk-nsp-and-retire-js-to-identify-and-fix-vulnerable-dependencies-in-your-node-js-applications/
Gain insight into your website code with: Web Insight here: → webint.io
Not suspicious this example, but given just to show how it functions:
https://webint.io/result/73907b10-113b-11eb-9432-8f38c91f3c54
But it could also be used to scan suspicious websites. 
polonus
Compare a number of different scan results:
https://urlscan.io/result/8958dea1-7023-4e0d-8420-373a46498113/
One could also scan through on the various code scan with this scan:
https://webint.io/result/4f38f860-1156-11eb-a034-11f74c826a95
Results of a DOM-XSS scan, just results: URL: -https://quiz.edusantosoficial.com.br/
Number of sources found: 133
Number of sinks found: 33
Results from scanning URL: -https://office.builderall.com/scripts/pixel/pixel-bundle.js
Number of sources found: 1
Number of sinks found: 1
Results from scanning URL: -https://office.builderall.com/scripts/pixel/pixel-bundle.js
Number of sources found: 8
Number of sinks found: 2
Vulners does not detect here. Host details: https://www.shodan.io/host/45.162.228.138
Tracker SSL - Website is insecure by default 100% of the trackers on this site could be protecting you from NSA snooping. Tell -edusantosoficial.com.br to fix it.Identifiers | All Trackers
Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.-skhXXXXXXXXXXXqjfuors7ai8tf -quiz.edusantosoficial.com.brphpsessid
Tracking IDs could be sent safely if this site was secure.
Tracking IDs do not support secure transmission. Three Content Tracking Requests from facebook
Domain Control Validation: Issuer: Let's Encrypt Let's Encrypt Authority X3
Compare with F-grade results here: https://observatory.mozilla.org/analyze/quiz.edusantosoficial.com.br
See 251 improvement hints given here: https://webhint.io/scanner/496ed38c-3df4-4792-921b-0564d55746fe
Given clear at this scan: http://isithacked.com/check/https%3A%2F%2Fquiz.edusantosoficial.com.br%2F
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
L.S.
See erlend oftedal’s resources: https://github.com/RetireJS/retire.js
What can the above information deliver? Well insight in potentially vulnerable and sometimes exploitable code.
All depends of what security layers are available there on client and server (best policies applied)
A short partial example:
So we can scan for a vulnerability in retirable script like:
{Object.defineProperty(w.Event.prototype,e,{enumerable:!0,configurable:!0,get:g(t)?function(){if(this.originalEvent)return t(this.originalEvent)}:function(){if(this.originalEvent)returnlike mentioned in https://nvd.nist.gov/vuln/detail/CVE-2019-11358
But skimming code for this manually is a difficult task, that is why we have our DOM XSS scanners, error scanners, our sources and sinks.
polonus
For websites that have a Content Security Policy, this is often not been configured to follow so-called best policies.
There is an extension for the browser, CSP Evaluator to check on this.
One could also do this online.
Example: https://cspvalidator.org/#url=https://www.ad.nl/
CSP Evaluator gives:
Evaluated CSP as seen by a browser supporting CSP Version 3
expand/collapse all
error default-srcerror https:
https: URI in default-src allows the execution of unsafe scripts.
checkblob:errorscript-src
error’unsafe-inline’
‘unsafe-inline’ allows the execution of unsafe in-page scripts and event handlers.
help_outline’unsafe-eval’
‘unsafe-eval’ allows the execution of code injected into DOM APIs such as eval().
error https:
https: URI in script-src allows the execution of unsafe scripts.
Error on opening screen where there is no CSP installed for
-Error fetching CSP policies from https://myprivacy.dpgmedia.nl/consent/?siteKey=V9f6VUvlHxq9wKIN&callbackUrl=https%3A%2F%2Fwww.ad.nl%2Fprivacy-gate%2Faccept-tcf2%3FredirectUri%3D%252f received from https://myprivacy.dpgmedia.nl/: 400 Bad Request
And also check online here: https://csp-evaluator.withgoogle.com/
pol
On the look-out for DNS sub-domains for a known malware domain?
Combine: (random example): https://urlhaus.abuse.ch/url/718410/
with https://securitytrails.com/domain/mituskicrafts.com/dns
and check here: https://www.dnssy.com/report.php
The web server appears to reveal version information. This can pose a security risk if vulnerabilities are identified in this version. You should consider disabling version information in your server configuration.
Compare to info here: https://host.io/mituskicrafts.com
Check at: https://dnsdumpster.com/ & https://subdomainfinder.c99.nl/ (finds Cloudflare abuse).
Whois info is redacted for privacy (or to hide abuse?).
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
SHA1 insecurity
Here one can check all sort of files against a so-called colission attack: https://shattered.io/
The test has been developed in cooperation with the Dutch CWI (Centrum voor Wiskunde & Informatica).
Also Google developers were involved.
Within most modern browsers like Google Chrome and also inside the Firefox browser,
we have been protected against insecure TLS/SSL certificates over the last three years.
Only it is a pity that whenever you will download Firefox browser,
the signature over that particular binary still exclusively will make use of insecure SHA1.
Get the checksum from the master repro and the actual download from a fast mirror.
Normally files now come digitally signed.
Now consider the above check as a checking method against silent file corruption,
so also with a digital file signature you could check at shattered.io,
Enjoy, my good friends, enjoy,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
SSL-check crawl https websites for insecure content:
http://ssl-checker.online-domain-tools.com/
No longer secure and available: -http://ssl-checker.online-domain-tools.com/
Another one: https://www.cdn77.com/tls-test
polonus
EFF has launched a new tool to test the tracking protection of your browser with:
https://coveryourtracks.eff.org/
Coveryourtracks comes after Panopticlick was developed 10 years ago.
Read: https://www.eff.org/deeplinks/2017/11/panopticlick-30
Enjoy in your browser of choice,
polonus
Thanks for sharing Damian, according to the test my browser setup is safe. 8)
Cisco: Emotet-malware now in over 200 countries.
Resources: https://any.run/malware-trends/emotet & https://feodotracker.abuse.ch/browse/
Example IP: https://www.shodan.io/host/24.101.229.82
Site report: https://sitereport.netcraft.com/?url=dynamic-acs-24-101-229-82.zoominternet.net
Confirmed: https://www.virustotal.com/gui/ip-address/24.101.229.82/community
Another two resources for TrickBot: https://novasense-threats.com/lookup/79.110.52.103#submenu
and/= https://pulsedive.com/threat/?tid=26
Also see: https://paste.cryptolaemus.com/emotet/2020/11/20/emotet-C2-Deltas-1200-1700_11-20-20.html
polonus
Various resources used at covert.io threat intelligenge:
IOC Repositories These repo’s contain threat intelligence generally updated manually when the respective orgs publish threat reports.https://github.com/aptnotes/data
https://github.com/citizenlab/malware-indicators
https://github.com/da667/667s_Shitlist
https://github.com/eset/malware-ioc
https://github.com/fireeye/iocs
https://github.com/Neo23x0/signature-base/tree/master/iocs
https://github.com/pan-unit42/iocs
https://github.com/stamparm/maltrail/tree/master/trails/static/malware
https://github.com/stamparm/maltrail/tree/master/trails/static/suspicious
IOC Feeds
These URLs are data feeds of various types from scanning IPs from honeypots to C2 domains from malware sandboxes, and many other types. They were compiled from several sources, including (but not limited to): 1, 2, 3, 4, 5, 6. They are in alphabetical order.http://antispam.imp.ch/wormlist
http://app.webinspector.com/recent_detections
http://atrack.h3x.eu/api/asprox_suspected.php
http://autoshun.org/files/shunlist.csv
http://blocklist.greensnow.co/greensnow.txt
http://botscout.com/last.htm
http://botscout.com/last_caught_cache.htm
http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
http://cinsscore.com/list/ci-badguys.txt
http://cybercrime-tracker.net/all.php
http://cybercrime-tracker.net/ccam.php
http://cybercrime-tracker.net/ccpmgate.php
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
http://data.netlab.360.com/feeds/dga/dga.txt
http://data.netlab.360.com/feeds/ek/magnitude.txt
http://data.netlab.360.com/feeds/ek/neutrino.txt
http://data.netlab.360.com/feeds/mirai-scanner/scanner.list
http://data.phishtank.com/data/online-valid.csv
http://dns-bh.sagadc.org/dynamic_dns.txt
http://feeds.dshield.org/top10-2.txt
http://hosts-file.net/?s=Browse&f=2014
http://labs.snort.org/feeds/ip-filter.blf
http://labs.sucuri.net/?malware
http://lists.blocklist.de/lists/all.txt
http://malc0de.com/bl/BOOT
http://malc0de.com/bl/IP_Blacklist.txt
http://malc0de.com/rss/
http://malwaredb.malekal.com/
http://malwaredomains.lehigh.edu/files/domains.txt
http://malwareurls.joxeankoret.com/normal.txt
http://mirror2.malwaredomains.com/files/immortal_domains.txt
http://mirror2.malwaredomains.com/files/justdomains
http://multiproxy.org/txt_all/proxy.txt
http://openphish.com/feed.txt
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
http://osint.bambenekconsulting.com/feeds/c2-masterlist.txt
http://osint.bambenekconsulting.com/feeds/dga-feed.txt
http://ransomwaretracker.abuse.ch
http://report.rutgers.edu/DROP/attackers
http://reputation.alienvault.com/reputation.data
http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules
http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules
http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
http://sblam.com/blacklist.txt
http://support.clean-mx.de/clean-mx/xmlviruses.php
http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
http://tracker.h3x.eu/api/sites_1day.php
http://virbl.org/download/virbl.dnsbl.bit.nl.txt
http://vmx.yourcmc.ru/BAD_HOSTS.IP4
http://vxvault.net/URL_List.php
http://vxvault.siri-urz.net/URL_List.php
http://vxvault.siri-urz.net/ViriList.php
http://www.autoshun.org/files/shunlist.csv
http://www.blocklist.de/lists/apache.txt
http://www.blocklist.de/lists/asterisk.txt
http://www.blocklist.de/lists/bots.txt
http://www.blocklist.de/lists/courierimap.txt
http://www.blocklist.de/lists/courierpop3.txt
http://www.blocklist.de/lists/email.txt
http://www.blocklist.de/lists/ftp.txt
http://www.blocklist.de/lists/imap.txt
http://www.blocklist.de/lists/ircbot.txt
http://www.blocklist.de/lists/pop3.txt
http://www.blocklist.de/lists/postfix.txt
http://www.blocklist.de/lists/proftpd.txt
http://www.blocklist.de/lists/sip.txt
http://www.blocklist.de/lists/ssh.txt
http://www.botvrij.eu/data/ioclist.url
http://www.ciarmy.com/list/ci-badguys.txt
http://www.dshield.org/ipsascii.html?limit=10000
http://www.falconcrest.eu/IPBL.aspx
http://www.joewein.net/dl/bl/dom-bl-base.txt
http://www.joewein.net/dl/bl/dom-bl.txt
http://www.malware-traffic-analysis.net
http://www.malwareblacklist.com/showAllMalwareURL.php?userName=Guest&sessionID=&downloadOption=0
http://www.malwaredomainlist.com/hostslist/ip.txt
http://www.malwaredomainlist.com/updatescsv.php
http://www.malwaregroup.com/ipaddresses
http://www.michaelbrentecklund.com/whm-cpanel-cphulk-banlist-whm-cpanel-cphulk-blacklist/
http://www.mirc.com/servers.ini
http://www.nothink.org/blacklist/blacklist_malware_dns.txt
http://www.nothink.org/blacklist/blacklist_malware_http.txt
http://www.nothink.org/blacklist/blacklist_malware_irc.txt
http://www.nothink.org/blacklist/blacklist_snmp_2015.txt
http://www.nothink.org/blacklist/blacklist_ssh_day.txt
http://www.projecthoneypot.org/list_of_ips.php
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
http://www.stopforumspam.com/downloads/listed_ip_1_all.zip
http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt
http://www.urlvir.com/export-hosts/
http://www.voipbl.org/update/
https://atlas.arbor.net/summary/domainlist
https://dataplane.org/sshclient.txt
https://dataplane.org/sshpwauth.txt
https://disconnect.me/lists/malvertising
https://disconnect.me/lists/malwarefilter
https://dragonresearchgroup.org/insight/sshpwauth.txt
https://dragonresearchgroup.org/insight/vncprobe.txt
https://feodotracker.abuse.ch
https://github.com/stamparm/maltrail/blob/master/trails/static/mass_scanner.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/blob/master/list.txt
https://isc.sans.edu/feeds/daily_sources
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/topips.txt
https://isc.sans.edu/ipsascii.html
https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian
https://malc0de.com/bl/ZONES
https://malsilo.gitlab.io/feeds/dumps/url_list.txt
https://malwared.malwaremustdie.org/rss.php
https://malwared.malwaremustdie.org/rss_bin.php
https://malwared.malwaremustdie.org/rss_ssh.php
https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt
https://onionoo.torproject.org/details?type=relay&running=true
https://palevotracker.abuse.ch
https://paste.cryptolaemus.com/feed.xml
https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset
https://raw.githubusercontent.com/futpib/policeman-rulesets/master/examples/simple_domains_blacklist.txt
https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-c2-iocs.txt
https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules
https://secure.dshield.org/ipsascii.html?limit=1000
https://sslbl.abuse.ch
https://techhelplist.com/maltlqr/reports/dyreza.txt
https://techhelplist.com/pastes
https://techhelplist.com/spam-list
https://threatfeeds.io/
https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
https://urlhaus.abuse.ch/downloads/csv/
https://www.badips.com/get/list/any/2?age=7d
https://www.circl.lu/doc/misp/feed-osint/
https://www.dan.me.uk/torlist/
https://www.hidemyass.com/vpn-config/l2tp/
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://www.maxmind.com/en/anonymous_proxies
https://www.maxmind.com/en/high-risk-ip-sample-list
https://www.openbl.org/lists/base.txt
https://www.openbl.org/lists/base_all_ftp-only.txt
https://www.openbl.org/lists/base_all_http-only.txt
https://www.openbl.org/lists/base_all_smtp-only.txt
https://www.openbl.org/lists/base_all_ssh-only.txt
https://www.packetmail.net/iprep.txt
https://www.packetmail.net/iprep_CARISIRT.txt
https://www.packetmail.net/iprep_ramnode.txt
https://www.trustedsec.com/banlist.txt
https://www.turris.cz/greylist-data/greylist-latest.csv
https://zeustracker.abuse.ch
Also interesting (example): https://firewallban.dynu.net/search.php?submit=Search&search=2.57.122.96
Search engine to search for script snippet examples: https://publicwww.com/?q=
enjoy, my good friends, enjoy and have a good week,
polonus
L.S.
If your origin servers are exposed attackers can attack them directly and bypass any sort of protection you may have. Many large CDN companies have bad design which allows for serious security vulnerabilities.
Check website here: https://bitmitigate.com/origin-exposure-test.html?name=
polonus
Check your access control to guarantee a secure connection between website and webserver behind it. Or you could find yourself in such a situation, where you find direct access to
{"099.php":{"aliases":{},"mappings":{},"settings":{"index":{"creation_date":"1606435124551","uuid":"BJaLkowESMCNLZr4WAlEHg","number_of_replicas":"1","number_of_shards":"5","version":{"created":"2030399"},"ajax":"true&a=Php&p1=die(@md5(S3pt3mb3r));"}},"warmers":{}}}from a particular Rackspace IP address ending in /099.php ... (weak PHP example found with Shodan.io)
A scan with the webbug tool produces this information:
HTTP/1.1 200 OK
Date: Wed, 02 Dec 2020 04:00:05 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 320
Access-Control-Allow-Origin: *
Connection: close{
“name” : “Super Sabre”,
“cluster_name” : “elasticsearch”,
“version” : {
“number” : “2.3.3”,
“build_hash” : “218bdf10790eef486ff2c41a3df5cfa32dadcfde”,
“build_timestamp” : “2016-05-17T15:40:04Z”,
“build_snapshot” : false,
“lucene_version” : “5.5.0”
},
“tagline” : “You Know, for Search”
}
Attackers may use various special search methods on Google (so-called dorks and queries on shodan.io to find low hanging fruit on the Interwebz to compromize and worse.
Be the first party to scan, as malcreants may already have scanned you.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Another fine resources site lost to us?
Not to be reached - isithacked.com - scan site to look at signs of Cloaking, spammy links etc.
Has it now also been discontinued? Re: https://mxtoolbox.com/SuperTool.aspx?action=mx%3Aisithacked.com&run=toolpage
Re: https://sitereport.netcraft.com/?url=http%3A%2F%2Fwww.isithacked.com
https://www.virustotal.com/gui/ip-address/107.170.38.188/relations
What happened at the hoster, Digitalocean? Anyone.
polonus
Improving DNS Privacy with Oblivious DNS:
https://blog.cloudflare.com/oblivious-dns/
Read: https://blog.cloudflare.com/oblivious-dns/
polonus