Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on November 28, 2018, 05:50:25 PM

Title: Cloaking, spammy links and malware cryptominer.3!
Post by: polonus on November 28, 2018, 05:50:25 PM
Re: ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (CoinHive Mining Domain) IDS alert:
and https://sitecheck.sucuri.net/results/hackers-workshop.net/tag/apt-get
Reputation Check
Google Safe Browse: OK
Spamhaus Check: OK
Compromised Hosts: OK
Dshield Blocklist: OK
Shadowserver C&C: OK
Web Server:
IP Address:
Hosting Provider:
1&1 Internet AG 
Shared Hosting:
626 sites found on - -> https://urlscan.io/domain/hackers-workshop.net
and https://urlscan.io/result/840d7e41-3886-4d14-9905-3a0ac71f97e6/

Checking for cloaking
There is a difference of 2387 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.

Spammy looking links
Any links with funky anchor text? Yes there are. show.

<a href="-https://www.hidemyass.com/vpn/r23796/" title="Hide My Ass! Pro VPN"><img src="-//ddfnmo6ev4fd.cloudfront.net/dynamic-banners/336x280.gif" alt="HideMyAss.com"></a>


40 potentional problems mentioned here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=aHxea3t9cy13XX1rc2hdcC5ue3Q%3D~enc

9 security related hints: https://webhint.io/scanner/0d1a88c4-67a3-47a4-a493-7cbb2eea3a17#Security

See security risks here: https://webscan.upguard.com/#/hackers-workshop.net/tag/apt-get

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Cloaking, spammy links and malware cryptominer.3!
Post by: polonus on December 16, 2018, 08:46:02 PM
Another one with three mining links: https://urlquery.net/report/ab7ab3ed-926f-4e68-8b8f-32bb341e9557
(where the malware initially was not specified), but is here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=cGhbbW5ndV1bbF1uLnVz~enc
with a script at line 768, detecion confirmed here: https://rescan.pro/result.php?aad699dd1b509a2dd3b6b8eb1c83e8e7
see: https://www.virustotal.com/#/domain/phimnguoilon.us

Rather good security practices where a mining website is concerned, only 40 recommendations given here via this scan:
risk assesment - 8 risks given: https://app.upguard.com/webscan#/http://phimnguoilon.us
Vulnerable to MiM attacks and X-Powered-By header exposed & Server information header exposed (excessive info proliferation).

Cloaking also flagged in this case: http://isithacked.com/check/http%3A%2F%2Fphimnguoilon.us
'data-cf-nonce' can be abused in a so-called redirect (SQL) "replay-attack" on -http://ajax.cloudflare.com/cdn-cgi/scripts/2448a7bd/cloudflare-static/rocket-loader.min.js there.

polonus (volunteer website security analyst and website error-hunter)