Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on June 17, 2019, 04:39:08 PM

Title: Ransomeware Troldesh from website..
Post by: polonus on June 17, 2019, 04:39:08 PM

Re: https://urlhaus.abuse.ch/url/209681/
issues: https://observatory.mozilla.org/analyze/topphanmem.net
hardened by abusers? - .\>https://webhint.io/scanner/f37d44d7-705d-4c09-941e-85dcea7d7170
Blacklisted - javascript malware found: https://sitecheck.sucuri.net/results/topphanmem.net
WordPress - Version does not appear to be latest
See: https://urlscan.io/result/c20b9c6c-5e3b-4692-87c8-8d0513a5dc04
6 engines detect: https://www.virustotal.com/gui/url/1bdb95e05cb47745f3d921d1a38b55398aae0e95bca17433529f28613aeb49a7/detection
dom-xss issues: Results from scanning URL: -http://topphanmem.net/wp-includes/js/wp-embed.min.js
Number of sources found: 149
Number of sinks found: 25

Retire.js
jquery   1.12.4   Found in -http://topphanmem.net/wp-includes/js/jquery/jquery.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

polonus (volunteer website security analyst & website error-hunter)

Title: Re: Ransomeware Troldesh from website..
Post by: polonus on June 17, 2019, 05:20:34 PM

The javascript malcode give aways: Unexpected 'eval'; use of single quotes 9several) ; Expected '=>' and instead saw '>';
decoding - simply replace eval with alert.

pol