Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on March 28, 2017, 03:15:43 PM

Title: 54 instances of TROJ_CRYPCTB.NSA detected here?
Post by: polonus on March 28, 2017, 03:15:43 PM

See: http://urlquery.net/report.php?id=1490704902278
 
Threat Name: Infostealer.Limitail
Location: -https://hacmint.com/cgi_bin/Invoice-Report.zip

Magento not updated, listed here: https://sitecheck.sucuri.net/results/hacmint.com
Update to: recommend version 1.9.2.4 or 2.0.7
Several issues not being patched: https://www.magereport.com/scan/?s=https://hacmint.com/
Two issues: https://sritest.io/#report/e54ed076-1d76-48a3-b3ca-0ee2f85b9d43

Vulnerable jQuery library to be retired: http://retire.insecurity.today/#!/scan/2d58d47ef3c2fef15d649f91f4725338f6e2177635f49f32d4aaf5409297e5ee

F-F-status: https://observatory.mozilla.org/analyze.html?host=hacmint.com

-/skin/frontend/default/theme224k/js/scripts.js
Severity:   Potentially Suspicious
Reason:   Detected procedure that is commonly used in suspicious activity.
Details:   Too low entropy detected in string [['.input-box select, .input-box input, input.qty, .data-table textarea, .input-box textarea, .advanced']] of length 126 which may point to obfuscation or shellcode.

Consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fhacmint.com%2Fskin%2Ffrontend%2Fdefault%2Ftheme224k%2Fjs%2Fscripts.js
overflowing code to  -http://dev.techsoup.nl/sites/all/modules/jquery_update/compat.js for instance...

polonus

Title: Re: 54 instances of TROJ_CRYPCTB.NSA detected here?
Post by: polonus on May 20, 2017, 12:01:39 AM

Update of this persistent threat: http://urlquery.net/report.php?id=1495228834063
See: https://sitecheck.sucuri.net/results/hacmint.com

polonus

Title: Re: 54 instances of TROJ_CRYPCTB.NSA detected here?
Post by: polonus on May 28, 2017, 12:08:34 AM

Threat Name: Infostealer.Limitail
Location: htxps://hacmint.com/cgi_bin/Invoice-Report.zip
-> Domain Name   Certificate Name   EV   Security Certificate's Authentic Fingerprint   
hacmint dot com   hacmint dot com   —   B5:7D:FB:E6:B9:8A:99:7A:05:6B:EB:A4:E6:CA:E7:C6:64:98:A9:88

Seems persistent, see here: http://urlquery.net/report.php?id=1495919871071
See: -https://urlscan.io/result/a0ae7023-48ed-4fee-83de-ba192cd86cde/dom/
See: https://www.virustotal.com/pl/url/1e69fb6b1ec56febc32edca93dfac5bbf08c303e5b65d43cd3efda58ee94413f/analysis/1495921958/

Web application version:
Magento version detected: 1.9.0.1
Magento not updated. We recommend version 1.9.2.4 or 2.0.7 -> https://www.magereport.com/scan/?s=https://hacmint.com/

96 blacklisted links: https://quttera.com/detailed_report/www.hacmint.com

polonus (volunteer website security analyst and website error-hunter)

Title: Re: 54 instances of TROJ_CRYPCTB.NSA detected here?
Post by: mchain on May 29, 2017, 05:19:12 AM

Updated urlquery scan:  http://urlquery.net/report.php?id=1496025490538 (http://urlquery.net/report.php?id=1496025490538)