Very helpful in fighting scam:
https://www.scam-detector.com/’
Also use the website validator there.
polonus
94,7% of websites will not honor your cookie preferences.
One could therefore install this extension to get rid of cookies that you do not want to allow in.
https://chrome.google.com/webstore/detail/cookieblock/fbhiolckidkciamgcobkokpelckgnnol?hl=en
See: https://karelkubicek.github.io/post/cookieblock
polonus
Code page search engine, example → https://publicwww.com/websites/caf.js/
Or in the case of this cloaking parked-website adsense ad-campaign:
https://publicwww.com/websites/parking.bodiscdn.com/
Then search on here: https://intelx.io/?s=+http%3A%2F%2Fww1.torrent9.bz%2F
Enjoy, my good friends,
polonus
With such specific search-engines there is a possibility to search for malware code-snippets, like of Mirai bot-malware, bitcoin darknet, so we searched bins/ppc (pay per click) found up at URLhaus → https://urlhaus.abuse.ch/browse/
See results: https://publicwww.com/websites/bins%2Fppc/ 359 webpages in all waiting to be analyzed.
Also see this for bin/sh mips/Mozi/elf malware: https://publicwww.com/websites/bin%2Fsh/
But mind not all results will answer to what we are searching for, we have to discriminate.
Or we have to sign up for paid results in case of a search for bins/arm6 depth:all
Also more here: https://www.guardicore.com/botnet-encyclopedia/bins/
polonus
Investigating banned crawl.baidu.com for baidu spider:
https://www.fortypoundhead.com/botinfo.asp?rid=153
https://www.fortypoundhead.com/tools_ipcheck_detail.asp?banid=567174
https://rdnsdb.com/116.179.32.0/24
and https://publicwww.com/websites/crawl.baidu.com/
polonus
Why here this site is not given as insecure, as Google Safebrowsing does.
Re: htxps://lb.larevet.net/ → https://dnslytics.com/ip/147.78.144.6
Missed here: https://www.virustotal.com/gui/url/58e823564e976ab653a4e5d47d17b9b49aac1d26f784e5682f33d1935056b7da
Connection is not private:
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: *.geneanet dot org (do not go there as avast flag this as a phishing site!).
Issuer: Gandi Standard SSL CA 2
Expires on: 11 mar 2023
Current date: 28 mar 2022
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIGMzCCBRugAwIBAgIRAJnvRbQbrOGRT5BHeHYJAgYwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCXXXXXXXXXXXXXXXXXXXXcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
polonus
Resources to search: https://maltiverse.com/search;query=lb01.parklogic.com;page=1;sort=creation_time_desc
Searching using a known malicious address query: ( do not click any links to malware) https://maltiverse.com/search;query=[i]alibiaba.bugs3.com[/i];page=2;sort=creation_time_desc
and then stumbling unto this malware analysis: https://maltiverse.com/url/c14b2080fbe8d03f30d4030d00e6da522533fe4e276d2387cb52ca0942748fd1
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Genuine scansite or just to get clickbait?
Re: https://www.scamvoid.net/check/qanator.com/ (not flagged as a scam).
Not flagged here either: https://www.virustotal.com/gui/url/66ea09f3b796804db46fbb98b33e1513b60c8fbc12e403ff28ea36925e4e3114
See: bootstrap 4.0.0-beta Found in -https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/js/bootstrap.min.js _____Vulnerability info:
Medium XSS is possible in the data-target attribute. CVE-2016-10735
Functioning in browser according to console info
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
VM210:81 audioblocktrue
VM210:130 canvasfont = true
qanator.com/:1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
qanator.com/:1 Failed to find a valid digest in the ‘integrity’ attribute for resource ‘-https://code.jquery.com/jquery-3.2.1.slim.min.js’ with computed SHA-256 integrity ‘hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=’. The resource has been blocked.
qanator.com/:1 Failed to find a valid digest in the ‘integrity’ attribute for resource ‘-https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.11.0/umd/popper.min.js’ with computed SHA-256 integrity ‘/ijcOLwFf26xEYAjW75FizKVo5tnTYiQddPZoLUHHZ8=’. The resource has been blocked.
bootstrap.min.js:6 Uncaught Error: Bootstrap’s JavaScript requires jQuery. jQuery must be included before Bootstrap’s JavaScript.
at bootstrap.min.js:6
dD.js:1467
(unknown) Settings loaded…
intercept.js:1 Filter Running…
qanator.com/:1 Unchecked runtime.lastError: The message port closed before a response was received.
DevTools failed to load SourceMap: Could not load content for chrome-extension://gegfpbhjnhegdnjdkghhnneaocdbbhjp/firefox/browser-polyfill.min.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME
Probably not functioning because blocked by CloudFlare for being behind a DigitalOcean proxy from London City.
polonus
Maltiverse - versatile resources:
Here we will find various collections:
https://maltiverse.com/url/131adc8b091ddae67842065614a663af6dc7b42fceb3bef55841667b8639a578
Can be combined with other resources as https://urlhaus.abuse.ch/
Here in this case just for researchers only: -https://github.com/HynekPetrak/javascript-malware-collection
(Do not venture out there…)
polonus
Checking on last bad events from another resources: https://www.projecthoneypot.org/list_of_ips.php
Example: https://www.abuseipdb.com/check/134.119.216.167
Attacker into SQL-injection attacks.
Also reported here manifold: https://ip-46.com/134.119.216.167
polonus
Also interesting to check on (spam) mail-harvesters, random example starting here: https://www.projecthoneypot.org/ip_46.4.55.55
Then checked on associated IP, 136.144.41.200 -
https://www.abuseipdb.com/check/136.144.41.200
https://www.psbl.org/listing?ip=136.144.41.200
https://multirbl.valli.org/detail/score.spfbl.net.html
https://maltiverse.com/ip/136.144.41.200
https://www.shodan.io/host/136.144.41.200
For users with a special interest in the subject of spam:
https://forum.spamcop.net/topic/47073-serverion-spam-factory-review/
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Torry.io , the Tor Anymous View search engine,
random query example: https://tor.torry.io/index.php?q=
Any downcasts in mapping the Tor-driven landscape? Can also be used as an extension inside Google chrome browser,
and similar browser types. Whenever the searchg-engine is too good to be true anonymous searching, then it likely is.
Anyone? I see a link to -hs.qacono.com,
polonus
Could this be an alternative to the once WOT service?
Random example: https://www.scamdoc.com/view/877444
pol
Even Sucuri’s website scan page does not have best policy CSP.
Issues:
CSP Validity Validsource CSP Scanner chrome extension info…
XSS No CSP Protection
Clickjacking No CSP Protection
Formjacking No CSP ProtectionGeneral
Basic CSP Protection
Summary
11 Fatal Errors
12 Warnings
5 Info
1 Valid
Content Security Policy (CSP)
Edit CSP
upgrade-insecure-requests;
Report Only CSP
Enforced CSP
General
CSP
report-uri
Add ‘report-uri’ directive to receive violation reports. Setup a free report-uri at RapidSec
CSP
form-action
In order to add Formjacking protection, either ‘form-action’ or ‘base-uri’ should be strictly defined.
This directive does not fallback to ‘default-src’. Can you restrict ‘form-action’ to ‘none’ or ‘self’?
Necessary Directives
CSP
default-src
‘default-src’ is missing. Add it for more fine-grained control and reporting.
CSP
base-uri
In order to add Formjacking protection, either ‘form-action’ or ‘base-uri’ should be strictly defined.
Missing ‘base-uri’ allows the injection of base tags that set the base URL for all relative URLs. Used in XSS as CSP bypasses on the ‘script-src’ directive, and in Formjacking attacks - routing forms to an attacker controlled domain. Can you set it to ‘none’ or ‘self’?
CSP
frame-ancestors
In order to add Clickjacking protection, either ‘frame-ancestors’, ‘frame-src’ or ‘child-src’ should be strictly defined.
‘frame-ancestors’ directive, is more powerful and flexible than the X-Frame-Options, and considered necessary in order to properly prevent Clickjacking attacks. Can you restrict ‘frame-ancestors’ to ‘none’ or ‘self’?
As strict as ‘frame-ancestors’, ‘frame-src’ and ‘child-src’ will be (‘self’, ‘none’ or strict path allowlist), Clickjacking protection will be strongest.
CSP
upgrade-insecure-requests
Scripting Directives
CSP
script-src
In order to add XSS protection, ‘script-src’ should be strictly defined.
‘script-src’ is missing and recommended to increase XSS protection. Can you set ‘none’ or a specific file/path?
CSP
style-src
‘style-src’ is missing and recommended to increase general protection. Can you set ‘none’ or a specific file/path?
CSP
object-src
Missing ‘object-src’ allows the injection of plugins which can execute JavaScript. Can you set it to ‘none’ or ‘self’?
CSP
worker-src
‘worker-src’ is missing and recommended to increase overall strength. It specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. Can you set ‘none’ or a specific file/path?
Frames Directives
CSP
child-src
In order to add Clickjacking protection, either ‘frame-ancestors’, ‘frame-src’ or ‘child-src’ should be strictly defined.
As strict as ‘frame-ancestors’, ‘frame-src’ and ‘child-src’ will be (‘self’, ‘none’ or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both ‘child-src’ and ‘frame-src’ should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
CSP
frame-src
In order to add Clickjacking protection, either ‘frame-ancestors’, ‘frame-src’ or ‘child-src’ should be strictly defined.
As strict as ‘frame-ancestors’, ‘frame-src’ and ‘child-src’ will be (‘self’, ‘none’ or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both ‘child-src’ and ‘frame-src’ should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
Content Directives
CSP
img-src
In order to add general protection, either ‘img-src’ or ‘connect-src’ should be strictly defined.
‘img-src’ is missing. Add it for more fine-grained control and reporting.
CSP
connect-src
In order to add general protection, either ‘img-src’ or ‘connect-src’ should be strictly defined.
‘connect-src’ is missing. Add it for more fine-grained control and reporting.
CSP
font-src
‘font-src’ is missing. Add it for more fine-grained control and reporting.
CSP
manifest-src
‘manifest-src’ is missing. Add it for more fine-grained control and reporting.
CSP
media-src
‘media-src’ is missing. Add it for more fine-grained control and reporting.
CSP
prefetch-src
‘prefetch-src’ is missing. Add it for more fine-grained control and reporting.
polonus
Tested forum.avast.com at The Markup,
and no tracking found, but user data are being sent to Google Analytics.
Adblockers will block this.
See: https://themarkup.org/blacklight?url=forum.avast.com
Site is non-indexable, links on the page are followed.
No unsafe content being detected, no iframe redirections, no encoded JS,
no external domain requests, no trackers.
polonus
Sometimes one has to combine resources, like here on this Crimson RAT Malware:
https://urlhaus.abuse.ch/url/2228451/ and https://any.run/malware-trends/crimson
and https://www.shodan.io/host/64.188.25.143
This while only 3 vendors detect this here: https://www.virustotal.com/gui/url/022eb1cfa39cf0b2f63fef31c878545716b766c2cd37d59d61e8cc93d876259e
Blacklisted by McAfee: https://sitecheck.sucuri.net/results/64.188.25.143/day.txt
All this abuse despite of a very strict abuse policy from -static.quadranet dot com.
not yet reported here, bu similar to spam and scam reported for this IP:
https://www.abuseipdb.com/check/64.188.2.110 @ quadranet dot com.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Tracking information -
Re: https://confection.io/trackers/eu-eb2-3lift-com/
Re: https://www.joesandbox.com/analysis/257195/0/html
polonus
And again we have lost some fine initiative for checking on Bad IPs at -https://ip-46.com/feeds
as that service was discontinued quite recently, a site where I personally reported many a bad IP feed.
We still have this (random example): https://www.abuseipdb.com/check/82.174.251.216
and various other resources, but we have lost quite some valuable evaluation resources over time,
also because these resources came under continuous attack from malcreants-cybercriminals
or they did not get the support to pay for the “wires” and server-service. A pity really.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Here we will take scan results from three different scan sources.
On the malcode detection of Remcos RAT: https://urlhaus.abuse.ch/url/2243687/
Then the according VT report: https://www.virustotal.com/gui/url/6f4bf2ffc13b812ff7cc353c8e6d310c038e9ea2fc38ce026d9807e3363df782
with three av-vendors flag this malcode.
This website loads trackers on your computer that are designed to evade third-party cookie blockers.
Canvas fingerprinting was detected on this website. This technique is designed to identify users even if they block third-party cookies. It can be used to track users’ behavior across sites. This technique was used by six percent of popular sites when we scanned them in September 2020.
Blacklight detected a script loaded from filebin.net doing this on this site.
It secretly draws the following image on your browser when you visit this website for the purpose of identifying your device.
However…https://themarkup.org/blacklight?url=filebin.net →
While Blacklight accurately detects the presence of canvas fingerprinting on a website, it cannot determine if the purpose is user behavior monitoring or for fraud prevention or bot detection.
pol
Another pair to combine: https://www.projecthoneypot.org/list_of_ips.php
Re: https://www.abuseipdb.com/check/46.101.210.101
and
https://maltiverse.com/ip/46.101.210.81
Given with associated harvesters: https://www.projecthoneypot.org/ip_46.101.210.101
proxy also listed here: https://www.freeproxy.world/?type=socks4
polonus