Author Topic: Site with a lot of suspicious javascript according to zulu  (Read 1859 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Site with a lot of suspicious javascript according to zulu
« on: August 14, 2012, 09:13:32 PM »
The zulu warrior should take an another short nap after listing all these external elements with suspicious javascript,
he will rise with renewed strength! This scanner has brought polonus and others loads of insight in the inner workings of websites
as have been the use of certain file viewers....
The case: See: http://urlquery.net/report.php?id=129826
See: http://zulu.zscaler.com/submission/show/d9ba9f434f6e3441436c8730efe3b8b1-1344969928
Alerted here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=fettings.se
(script) www.fettings dot se/wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js?ver=2.9995
     status: (referer=www.fettings dot se/)saved 26590 bytes efd8010cc567c8c8b82d2782a9a4aa97ca2a11db
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable a.browser
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var a.browser = 1;   (understandable for the code waits for the browser to refresh)
          error: line:1: ....^  suspicious
This theme is vulnerable: twentyeleven/js/html5.js
To hide one is using WP, read tut here: http://benword.com/how-to-hide-that-youre-using-wordpress/  (link article author = BWorld a web developer)
Malware at site has probably been closed after being active for 1 tot 1.6 of an hour,

Oh there is also "plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.06" on the site, vulnerable to XSS Cookie Stealing.
Cookie stealing code has been available from 2009 henceon and is still being used in 2012 to create a cookie stealer PHP file.
How to be secure as a visitor of such a website:
Use No-Script Addon. This is best protection to stay away from XSS
Never Click the Shorten url,  (advice from EHN Reporter)

Be secure,

polonus
« Last Edit: August 14, 2012, 09:33:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Site with a lot of suspicious javascript according to zulu
« Reply #1 on: August 14, 2012, 09:53:14 PM »
Hi forum friends,

But there is also positive news here: wXw.fettings.se/xmlrpc.php -> XML-RPC server accepts POST requests only.
Why this is good news see here: http://www.bizimbal.com/odb/details.html?id=914312 (sse offensive actions),

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!