Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on July 12, 2020, 05:10:37 PM

Title: vbs-malware and RAT - weak php involved..
Post by: polonus on July 12, 2020, 05:10:37 PM

Where?, see: https://urlhaus.abuse.ch/url/411994/ &  https://urlhaus.abuse.ch/url/411993/
GData and other engines detect, does avast also flag this?

DOM XSS scan results: Results from scanning URL: -http://expdom.ru/tarif.php
Number of sources found: 8
Number of sinks found: 56
Link found towards: Results from scanning URL: -https://localsportsrightnow.com/
Number of sources found: 46
Number of sinks found: 21 - consider: hxtp://sedoparking.com/frmpark/localsportsrightnow.com/skenzor17/park.js

In the code we find

Quote

<ul class="top-nav">
<li><a href="index.php">Главная</a></li>
<li><a href="news.php">Новости</a></li>
<li><a href="uslugi.php">Услуги</a></li>
<li><a href="dogovor_yprav.php">Договор Управления</a></li>
<li><a href="tarif.php" class="active">Тарифы</a></li>
<li><a href="homes.php">Перечень Домов</a></li>
<li><a href="otchet.php">Отчетность</a></li>
<li><a href="protocols_oss.php">Протоколы ОСС</a></li>
<li><a href="internet.php">Интернет Провайдеры</a></li>
<li><a href="work.php">Планы Работ</a></li>
<li><a href="prikaz.php">Приказы</a></li>
<li><a href="contact.php">Контакты</a></li>
</ul>

Microsoft development seems to have come to a decision: https://laravel-news.com/microsoft-dropping-php-support
Read also: https://www.reddit.com/r/PHP/comments/ho9dgq/microsoft_not_going_to_officially_support_php_8/fxgk1sc/
So others gonna have to do it.

polonus

Title: Re: vbs-malware and RAT - weak php involved..
Post by: chabandima2002 on July 13, 2020, 06:03:18 PM

Hello,I am an owner of this site.The Malware was successfully deleted,and I want to ask a question,are you normally?Malware was used in education purpose only.Okey,Why php is weak?

Title: Re: vbs-malware and RAT - weak php involved..
Post by: polonus on July 13, 2020, 06:58:06 PM

Hi chabandima2002,

What I report always stems from third party cold reconnaissance scanning (other sources as here URLhaus).
Reported on the malware reported by URLhaus, so you have to ask there (and bark at that tree).
See: https://urlhaus.abuse.ch/host/expdom.ru/  and started from there (just for the QED).

Vulnerable php can indeed mean a threat to a website if not properly being sanitized (between webserver and client).
There are particular functions that when used could full well mean a risk.
That means also for PHP-based CMS.
Reporting on this also serves an educational purpose.

Site is still flagged: https://urlhaus.abuse.ch/host/expdom.ru/

polonus