Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on December 09, 2019, 07:22:28 PM
-
Nothing here: https://www.virustotal.com/gui/url/ac6c85beada1be72c78a21693c5a786896de443a05ca8205eaefe989b64a8ac0/detection
See: https://sitecheck.sucuri.net/results/https/aw-snap.info
8 malicious files : https://quttera.com/detailed_report/aw-snap.info
IP related malware: https://www.virustotal.com/gui/ip-address/107.180.40.144/relations
See also: https://toolbar.netcraft.com/site_report?url=https://aw-snap.info/file-viewer/
Re: https://retire.insecurity.today/#!/scan/fb9f5fe2c2bde4a2cd6183929c0e3ab1b09ecc25929f7f30636764e4ae4904a9
polonus
-
I used to see this a long time ago but with the 404 error (missing file/page/image, etc.).
The hack was to create a specific malicious 404 error page and edit the normal home page (or any other) inserting a link to a non existent page/image, etc. triggering the malicious 404 page.
I just wonder if there isn't something similar going on here.
-
Description: Malicious scripts injected to Magneto (and other e-commerce) site that try to steal pyament details and site credentials from website forms. Typically the hijack login and checkout forms and send entered data to a remote third-party site controled by the attackers. Sometime the script may redirect online shoppers to fake checkout pages.
https://www.virustotal.com/gui/file/b23b9fc160fada7c57050a59485fbdcf50f406c4ba89d8320fd8efeb842f689d/detection
-
Script injection malcode, thank you DavidR and Pondus for putting the detection-cherry on the cake.
The proof of the pudding is indeed in the eating, but we had to taste it first...
For the moment I get here with the 403 error <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
<link href='-http://aw-snap.info/wp-content/redleg_sm.ico' rel='icon' type='image/x-icon'/>
<link rel="shortcut icon" href="-http://aw-snap.info/wp-content/redleg_sm.ico" />
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<hr>
<address>Apache Server at -aw-snap.info Port 80</address>
</body></html>
VT gives as clean: -http://aw-snap.info/wp-content/redleg_sm.ico,
somehow the connection is not encrypted and not secure.
So Redleg has some cleansing to do on his own website analysis website ;D :(
pol
-
aw-snap.info still won't open up in my browser: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/
see: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#links
response hrml: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#transactions
behavior: https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#behaviour
Indicators of compromise (around an attack): https://urlscan.io/result/4531ae42-1111-491a-b060-42df0288700b/#iocs
host details: https://www.shodan.io/host/107.180.40.144
Website test results: https://internet.nl/site/aw-snap.info/671442/
1 malicious file detected: https://quttera.com/detailed_report/www.aw-snap.info
File:
index.html
Severity: Malicious
Reason: Detected malicious PHP content
Details: Detected PHP backdoor
Offset: 3162
Threat dump: View code index html - blocked
Threat dump MD5: 0DEAEF3CF103258A26211AB017E008E6
File size[byte]: 10618
File type: HTML
Page/File MD5: 9818584FD5B51A3DEA390ACD83ADDFE0
Scan duration[sec]: 0.08
pol