Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on November 28, 2018, 05:50:25 PM

Title: Cloaking, spammy links and malware cryptominer.3!
Post by: polonus on November 28, 2018, 05:50:25 PM
Re: ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (CoinHive Mining Domain) IDS alert:
https://urlquery.net/report/32fe3d9a-5060-4911-9db7-75236b2929ac
and https://sitecheck.sucuri.net/results/hackers-workshop.net/tag/apt-get
See:
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Compromised Hosts: OK
Dshield Blocklist: OK
Shadowserver C&C: OK
Web Server:
Apache
X-Powered-By:
PHP/5.6.38
IP Address:
-212.227.247.144
Hosting Provider:
1&1 Internet AG 
Shared Hosting:
626 sites found on -212.227.247.144 -> https://urlscan.io/domain/hackers-workshop.net
and https://urlscan.io/result/840d7e41-3886-4d14-9905-3a0ac71f97e6/

Checking for cloaking
There is a difference of 2387 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.

Spammy looking links
Any links with funky anchor text? Yes there are. show.

<a href="-https://www.hidemyass.com/vpn/r23796/" title="Hide My Ass! Pro VPN"><img src="-//ddfnmo6ev4fd.cloudfront.net/dynamic-banners/336x280.gif" alt="HideMyAss.com"></a>

https://retire.insecurity.today/#!/scan/ae0aaede23d2f77671cee909f2b7ef2ebce5616ba349616ea13f2a8f2991a43b

40 potentional problems mentioned here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=aHxea3t9cy13XX1rc2hdcC5ue3Q%3D~enc

9 security related hints: https://webhint.io/scanner/0d1a88c4-67a3-47a4-a493-7cbb2eea3a17#Security

See security risks here: https://webscan.upguard.com/#/hackers-workshop.net/tag/apt-get

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Cloaking, spammy links and malware cryptominer.3!
Post by: polonus on December 16, 2018, 08:46:02 PM
Another one with three mining links: https://urlquery.net/report/ab7ab3ed-926f-4e68-8b8f-32bb341e9557
(where the malware initially was not specified), but is here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=cGhbbW5ndV1bbF1uLnVz~enc
with a script at line 768, detecion confirmed here: https://rescan.pro/result.php?aad699dd1b509a2dd3b6b8eb1c83e8e7
see: https://www.virustotal.com/#/domain/phimnguoilon.us

Rather good security practices where a mining website is concerned, only 40 recommendations given here via this scan:
https://webhint.io/scanner/a7f75590-34dc-4503-8f60-4d8e06c4e6ce
risk assesment - 8 risks given: https://app.upguard.com/webscan#/http://phimnguoilon.us
Vulnerable to MiM attacks and X-Powered-By header exposed & Server information header exposed (excessive info proliferation).

Cloaking also flagged in this case: http://isithacked.com/check/http%3A%2F%2Fphimnguoilon.us
'data-cf-nonce' can be abused in a so-called redirect (SQL) "replay-attack" on -http://ajax.cloudflare.com/cdn-cgi/scripts/2448a7bd/cloudflare-static/rocket-loader.min.js there.

polonus (volunteer website security analyst and website error-hunter)