Security logging - bind insecurity, hostile DNS query and a trojan....

[polonus]

See the IDS alert here: http://urlquery.net/report.php?id=1476479229624

Then we checked the integrity of that IP: https://www.threatminer.org/host.php?q=128.138.129.98

and: http://urlquery.net/report.php?id=1476405685598  -> http://network.msu.edu/cgi-bin/showhist?sysname=netman2&service=ext-abilene:colorado&dir=external&week=0&brief=1

And how that intertwined with this story: http://blog.malwaremustdie.org/2013/05/a-story-of-spambot-trojan-via-fake.html
and BIND issues: http://blog.malwaremustdie.org/2013/05/a-story-of-spambot-trojan-via-fake.html

These issues do not bring us up to a modern solid security situation: https://observatory.mozilla.org/analyze.html?host=www.colorado.edu
Best illustrated by the DROWn exploitability of their nameserver: https://test.drownattack.com/?site=boulder.colorado.edu

http://toolbar.netcraft.com/site_report?url=www.colorado.edu%2Falumni%2Fsites%2Fdefault%2Ffiles%2Fwebform%2Fuimbldon-suindon-match-1746475-20-15-10-2016.html
Re: HTTP only cookies: Warning

Requested URL: http://www.colorado.edu/ | Response URL: http://www.colorado.edu/ | Page title: Home | University of Colorado Boulder | HTTP status code: 200 (OK) | Response size: 48,310 bytes (gzip'd) | Duration: 216 ms
Overview
Cookies not flagged as "HttpOnly" may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the "HttpOnly" flag is missing it is due to oversight rather than by design.

Result
It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):

f5_persistence : 3071322304.20480.0000
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Rightly, no information returned in the "Server". No excessive header info proliferation.

Drupal 7 there, normally netcraft only returns drupal. The server is Apache - http Apache to https 443 linux-gnu service running - cron.php,
install php

Also look here: http://fetch.scritch.org/%2Bfetch/?url=www.colorado.edu&useragent=Fetch+useragent&accept_encoding=

Retirables: -http://www.colorado.edu
Detected libraries:
jquery-migrate - 1.2.1 : -http://www.colorado.edu/sites/default/files/js/js_WGIhld0-3UYAktGmyfhTu5plpcW9JWEn4ql5U75q13s.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.9.1 : (active1) -http://www.colorado.edu/sites/default/files/js/js_ZDOaep6HA5A0eriyiN-YaNv7MHsjd-FIuFyilZ2o5cw.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Update on the seriousness of the situation and the insecure infrastructure on American university networks:

https://www.recordedfuture.com/recent-rasputin-activity/

Hacks all due to SQL-injection leaks and exploitability.

polonus