Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on May 06, 2020, 04:48:34 PM
-
Re: https://www.virustotal.com/gui/url/2ef5cf82209393a5844b756c061bd8454dc8647f721520b025f33c70bc190b88/detection
On that domain https://urlhaus.abuse.ch/host/borawebservicioscl1.com/
Re: https://www.shodan.io/host/187.17.111.35
Not flagged elsewhere: Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK
Web Server:
Apache
X-Powered-By:
None
IP Address:
-187.17.111.35
Hosting Provider:
Universo Online S.A.
Shared Hosting:
1 sites found on -187.17.111.35
Now Spamhaus detects IP: https://www.virustotal.com/gui/ip-address/187.17.111.35/detection
Blacklisted earlier: https://sitecheck.sucuri.net/results/borawebservicioscl1.com/desporto/F0AS2F4AS01FA4.luk
Opens up to DOM_XSS-results from scanning URL: -https://powozimiduti.mihanblog.com/
Number of sources found: 4
Number of sinks found: 704
See vulnerabilities on IP-hoster: https://www.shodan.io/host/5.144.133.146
&
on -https://borawebservicioscl1.com/../ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js
Number of sources found: 1
Number of sinks found: 1
with Javascript 1 (external 0, inline 1)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes
CSS 1 (external 0, inline 1)
INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
-
Other detections on IP (IP related): https://www.virustotal.com/gui/ip-address/187.17.111.35/relations
and the blog that was found with the DOM-XSS scan:
-mihan.blog is insecure. -Retire.js jquery 1.8.2 Found in -http://static.mihanblog.com//public/scripts/run/jquery.min.js<br>Vulnerability info:
Medium CVE-2012-6708 11290 Selector interpreted as HTML
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
and
This website is insecure.
50% of the trackers on this site could be protecting you from NSA snooping. Tell -mihanblog.com to fix it.
Identifiers | All Trackers
Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.
-m0 mihanblog.commib_lb_id
Not vulnerable script...but see vuln. on hoster's IP: https://www.shodan.io/host/5.144.133.146
pol
-
More interlinked from this source: Results from scanning URL: -https://overheaddoormainnumber.net/
Number of sources found: 3
Number of sinks found: 201 - residing on -209-99-64-71.fwd.datafoundry.com (upgrade insecure request)
&
Results from scanning URL: -http://tecnigrav.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 0
Number of sinks found: 3
&
Results from scanning URL: -http://tecnigrav.com/wp-content/plugins/woocommerce-multilingual/res/js/tooltip_init.min.js?ver=4.0.3
Number of sources found: 0
Number of sinks found: 0