How many sites still have -htxp://js.users.51.la/19099393.js malware script?

[polonus]

Example: https://virustotal.com/#/url/baeb717b5a54c0521650ff280e898abfe438d70c3e2ef0f8d861c5ff3b91cd5f/detection
where the detection is not been given, ignored?
Here the potential problem is flagged sufficiently: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=72b668.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
It is know that avast will always flag...

Note: The URL(s) listed above have been found in the page you are checking. While the URL(s) are not currently flagged as suspicious by Google they have returned malicious content, unwanted software, deceptive content, and/or caused problems recently and should be investigated. Do they belong in your page?

***
52:   
"javasc​ript" type="text/javasc​ript" src="hxxp://js.users.51.la/19099393.js"
Note: The sc​ript call above looks suspicious! Check to make sure it is legit.   

while this is adding to the gravity of the situation: https://sritest.io/#report/76d2b13d-cfb8-4844-89ad-bb6d2d73fba1

Then we have a custom error:Fail and two warnings here: https://asafaweb.com/Scan?Url=72b668.com
Potentially dangerous files
.apk   Detected - Name Servers Allow TCP Connections   Failed   Found name servers which don't allow TCP connections
-juming.dnsdun.com

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Update Here we find it again and it is not flagged here: https://zulu.zscaler.com/submission/b5f17a3b-3bcf-48e4-a4e3-8ea2d3fa4c1a
Retirable jQuery code: http://retire.insecurity.today/#!/scan/c6c840e1bca3caacc38aa4c5c194536bd4600a2d6a0a72cc5579ca0598fbbc87

The code in question has errors as well:

-js.users.51.la/19062109.js
     
     info: [decodingLevel=0] found JavaScript
     error: undefined variable Image
     error: ./pre.js:249: TypeError: Image is not a constructor
     info: [decodingLevel=1] found JavaScript
     error: line:6: TypeError: Image is not a constructor

and dowload from it

/eval a2109img = new Image;a2109img.src=a2109src;  //document.write (s)  <a href="httxs://www.51.la/?19062109" target="_blank" title="-51.La &#x7F51;&#x7AD9;&#x6D41;&#x91CF;&#x7EDF;&#x8BA1;&#x7CFB;&#x7EDF;">&#x7F51;&#x7AD9;&#x7EDF;&#x8BA1;</a> 

Also see: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=js.users.51.la%2F19062109.js&ref_sel=GSP2&ua_sel=ff&fs=1

polonus

[polonus]

Update: And another site that has it: https://urlquery.net/report/ba8f70da-848b-4178-abae-622504a16738
and see: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=kgpecas.com&ref_sel=GSP2&ua_sel=ff&fs=1
where we also meet a redirect -> https://quttera.com/sitescan/blog.sina.com.cn
also malware at that link: https://sitecheck.sucuri.net/results/blog.sina.com.cn

ISSUE DETECTED   DEFINITION   INFECTED URL
Website Malware   malware.hidden_iframe?2   hxtp://blog.sina.com.cn/
Website Malware   malware.hidden_iframe?2   htxp://blog.sina.com.cn
Hidden Iframes. Details: http://labs.sucuri.net/db/malware/malware.hidden_iframe?2
<iframe width="0" height="0" frameborder="0" scrolling="no" src="hxtp://interest.mix.sina.com.cn/api/topic_v2/sso" style="display:block;"> Also System Details:
Running on: nginx/1.2.8
Outdated Web Server Nginx Found: nginx/1.2.8
See: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=blog.sina.com.cn%2Fu%2F6010667446&ref_sel=GSP2&ua_sel=ff&fs=1

Cloaking found, spammy looking links and iFrames: http://www.isithacked.com/check/http%3A%2F%2Fblog.sina.com.cn

-http://blog.sina.com.cn/
Detected libraries:
jquery - 1.10.2 : (active1) -http://www.sinaimg.cn/video/2014_news_video/js/jquery.1.10.2.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Updating,

Still on many sites in the Chinese infrastructure: http://urlquery.net/report/9e8f8d98-814e-4327-8f47-5dc14ff74c87
See error and eval image download treated here

-js.users.51.la/18770492.js benign
saved 6760 bytes 83025ac1927f410ebc04a4a75bdc9eaa898e1118
     info: [decodingLevel=0] found JavaScript
     error: undefined variable Image
     error: ./pre.js:249: TypeError: Image is not a constructor
     info: [decodingLevel=1] found JavaScript
     error: line:6: TypeError: Image is not a constructor
     file: 83025ac1927f410ebc04a4a75bdc9eaa898e1118: 6760 bytes
     file: afc861a3136fc0cd38b7ec91cc29c85164bd87aa: 246 bytes

Excessive header warning: The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

Overview
Cookies not flagged as "HttpOnly" may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the "HttpOnly" flag is missing it is due to oversight rather than by design.

Result
It looks like 3 cookies are being set without the "HttpOnly" flag being set (name : value):

WsEw_9831_lastvisit : 1515501518
WsEw_9831_sid : FB712w
WsEw_9831_lastact : 1515505118%09index.php%09list
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

10 issues here: https://privacyscore.org/site/36809/

polonus (volunteer website security analyst and website error-hunter)

P.S. Also consider links in script code going here to XUNVE dot com:
http://www.statsinfinity.com/domain/TCVbB-Q1WnNBk1Uiw5zlXQ.._info.html

Damian