« previous next »
Pages: [1]   Go Down

Author Topic: Non-intrusive tracking by ssl.gstatic.com flagged?  (Read 2641 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Non-intrusive tracking by ssl.gstatic.com flagged?
« on: September 28, 2014, 01:39:33 PM »
See on MX VirusWatch: Up(nil):   unknown_html    ARIN   US   arin-contact at google dot com   74.125.133.132    to 74.125.133.132   blogspot dot com   htxp://sharepointpons.blogspot.com/
1 flags: https://www.virustotal.com/nl/url/5c968432a3b831c57eab8c34a52f110159ee089866a23a980a5cb8cc80c2a06e/analysis/1411902856/
Nothing: http://sitecheck.sucuri.net/results/sharepointpons.blogspot.com
and here: http://urlquery.net/report.php?id=1411903061474
Header Security Issues:
X-Frame-Options does not appear to be found in the site's HTTP header, increasing the likelihood of successful clickjacking attacks.
Strict-Transport-Security does not appear to be found in the site's HTTP header, so browsers will not try to access your pages over SSL first.
We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site's HTTP header, making XSS attacks more likely to succeed.
Server: was found in this site's HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site!
Permitted-Cross-Domain-Policies does not appear to be found in the site's HTTP header, so it's possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files..
Server redirect
Code: 302,  http://sharepointpons.blogspot.de/ (in my case the redirect went to nl, for the Web Security Test in Germany the server redirect was to the de.domain.
Redirect to external server!
Found 302 redirecting: http://fetch.scritch.org/%2Bfetch/?url=http://sharepointpons.blogspot.nl/
navbar-iframe-container mal redirect?
-ieretrofit.js  found to be benigh - questioned by other resources: http://www.exedb.com/systemfiles/930987230-ieretrofit[1].js.html
Code hick-up:
www.blogger.com/static/v1/widgets/2271878333-widgets.js benign

[nothing detected] (script) wXw.blogger.com/static/v1/widgets/2271878333-widgets.js
     status: (referer=sharepointpons.blogspot dot com/)saved 90737 bytes d10e7d10029a7a8ef0a32e806eb071e1d436657f
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     info: [decodingLevel=1] found JavaScript

     suspicious:
random:shindig.sha1.js tracking issue for Google Chrome -> read: https://code.google.com/p/chromium/issues/detail?id=252010

error on site for hxtps://apis.google.com/js/plusone.js -
Code: [Select]
//jsunpack.called CreateElement script //jsunpack.url setAttribute src = https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.en_US._nloWKe2jEw.O/m=plusone_unsupported/rt=j/sv=1/d=1/ed=1/am=EQ/rs=AItRSTP2dzz1Y5yhD_UMqja9k8ugY_oXWw/cb=gapi.loaded_0  //jsunpack.url element = undefined
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: Non-intrusive tracking by ssl.gstatic.com flagged?
« Reply #1 on: September 28, 2014, 02:43:18 PM »
Saw another one flagged at MX VirusWatch archives for to-day: Up(nil):   unknown_html_RFI_shell   ARIN   US   arin-contact at google dot com   74.125.133.132    to 74.125.133.132   blogspot dot com   htxp://septemberflikkan.blogspot.com/

Anxious to get at the culprit of this detection, I have found that the only scanner that has something substantial on this is good old  Quttera; 32 files flagged like this one: /2014/05/forberedelser.html
Severity:   Suspicious
Reason:   Detected reference to blacklisted domain
Details:   Detected reference to suspicious blacklisted domain 4.bp dot blogspot.com
File size[byte]:   86129
File type:   ASCII
Page/File MD5:   DFCB9032F82AA44278E04BD98609DE79
Scan duration[sec]:   0.307000

We are nearing in to the matter here: https://www.virustotal.com/nl/domain/4.bp.blogspot.com/information/
But avast misses it: https://www.virustotal.com/nl/file/cdf8594d6a020ec3095dd1ed74d8575dfc84bab2427fa42e4f054f972ae2699c/analysis/
TrojWare.Win32.Injector.KRTE
very unlikely to be anything nasty: http://forum.rpg.net/showthread.php?677105-GOG-Duke-1-amp-2-Trojan-warning

iFrame detected:
Code: [Select]
<iframe frameborder="'+Ra(r(c.frameborder))+'" scrolling="'+Ra(r(c.scrolling))+'" '+h+' name="'+Ra(r(c.name))+'"/>
List of referenced blacklisted domains/hosts: 2
denenarmadebanditen.elsasentourage dot se
4.bp.blogspot dot com

errors on site code for gapi-google-analytics-php-interface: undefined variable gapi

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »