« previous next »
Pages: [1]   Go Down

Author Topic: malscript detected on parked website!  (Read 1105 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33938
  • malware fighter
malscript detected on parked website!
« on: September 27, 2015, 04:17:57 PM »
What is being detected: Added / Verified   Severity   Host                                                          Comment
                                   2015-09-27            2           -ak2.imgaft.com/script/jquery-1.3.1.min.js   Malware
And where: https://urlquery.net/report.php?id=1443362289737
Detection missed here: http://killmalware.com/kantibiotics.net/
Redirection met 500 Connection Reset, not scanning deep enough: http://zulu.zscaler.com/submission/show/00b1d8edee5d8b6118191d548fade105-1443362479
Got a ten out of ten red website risk status here: http://toolbar.netcraft.com/site_report?url=http://kantibiotics.net
This is the code I meet:
Code: [Select]
<!DOCTYPE html><body style="padding:0; margin:0;"><html><body><iframe src="-http://mcc.godaddy.com/park/rT5uM3MiqzWaqaOzYzSlMj==" style="visibility: visible;height: 100%; position:absolute" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" width="100%"></iframe></body></html>Again GoDaddy abuse, my dear friends, the row of issues with this hoster seems really endless! Happily uMatrix has prevented the following page from loading:
-http://mcc.godaddy.com/park/rT5uM3MiqzWaqaOzYzSlMj== for the reversed DNS WOT seems to fully agree: https://www.mywot.com/en/scorecard/ip-184-168-221-56.ip.secureserver.net?utm_source=addon&utm_content=rw-viewsc
Only to be confirmed here: http://toolbar.netcraft.com/site_report?url=http://ip-184-168-221-56.ip.secureserver.net
From the asafaweb scan results we see the professionals having some issues to tackle: https://asafaweb.com/Scan?Url=ip-184-168-221-56.ip.secureserver.net  because we see a fail and two errors. It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in". Potentially sensitive internal implementation information is not kept away away from public view.By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319

Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

polonus (volunteer website security analyst and website error-hunter)



Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »