Tests and other Media topics

[polonus]

Various block lists of attack IP's: example IP:
https://www.abuseipdb.com/check/129.204.34.155
https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-1h
https://www.binarydefense.com/banlist.txt?__hstc=103210719.1bb630f9cde2cb5f07430159d50a3c91.1538179200074.1538179200075.1538179200076.1&__hssc=103210719.1.1538179200077&__hsfp=2025384311
https://www.axarva.co.id/blacklist-ip/blocklist.rsc
http://www.eventreader.com/firegen_malicious_ips.txt

Nice resources, enjoy, my good friends, enjoy!

polonus

[polonus]

L.S.

See what malware sites were being reported to URLhaus lately: https://urlhaus.abuse.ch/browse/
Before being taken down by providers, some stay active for over a week and can infect a great many devices with malware.

In the case of Chinese malware sites, Chinese providers are known to react rather slow, some malcode may stay on for over a month. They shouldn't be that lax. Domination on malware is not a thing to be proud of. 

URLhaus with 256 researchers over the last 10 month achieved to have a 100.000 websites being taken down.

polonus

[polonus]

Example of such a blacklisted site been taken down: https://urlhaus.abuse.ch/url/107430/
See: Web Server:
None
X-Powered-By:
None
IP Address:
69.90.66.40
Hosting Provider:
Cogeco Peer 1  -> https://www.privacyshield.gov/participant?id=a2zt0000000TNvtAAG&status=Active
Shared Hosting:
3 sites found on 69.90.66.40

Clean-up needed: https://sitecheck.sucuri.net/results/tekacars.com/wp-content

Re: http://69.90.66.40/cgi-sys/defaultwebpage.cgi  not secure.

polonus

[polonus]

Stumbled upon this scam tester: https://www.scamner.com/latest
Could be checked also against scams at https://www.urlvoid.com/
and here: https://www.siteprice.org/tools/AdultWebsiteChecker.aspx

enjoy my friends, enjoy

polonus

[polonus]

Quite a selection of website scanners:
https://keystonesolutions.io/solutions/lookup-potentially-malicious-websites/
to look up potentially malicious websites.

Example looked up on PHISHCheck from here: wXw.hannahsartistcorner.com  -> https://www.threatminer.org/domain.php?q=www.hannahsartistcorner.com  delivering result

{"sid": 177823, "is_success": true}

Google Safebrowsing alerts for such sites like htxps://uprisefest.com/images/account/index.php with a security error,
which is being reported to PHISHTank. 
100% given as malicious here: https://zulu.zscaler.com/submission/9067b9f4-3f64-46e4-8200-a2bfe3262741

polonus

[polonus]

Different days for first time detections, are they being reported independantly?

Re: https://urlhaus.abuse.ch/url/117199/   &  https://otx.alienvault.com/indicator/domain/vektorex.com
Also see external sources given there...

Our forum friend, Pondus, always being very accurate on the most recent VT results.  Thank you, Pondus.

Here they'd come up with 'three days ago': https://www.virustotal.com/nl/file/199a431e655b6890e3641cda8a98cdaa5c9e4c79303aa734f1ad05eb7ba6b01c/analysis/1549019095/

and this was only yesterday: https://www.virustotal.com/nl/domain/vektorex.com/information/

polonus

[polonus]

Hole in Word Press plug-ins.
A listing of vulnerable plug-ins from various resources:
https://firstsiteguide.com/tools/free-fsg/hacked-dangerous-vulnerable-wordpress-plugins/#bad_plugins

To get recommendations and tipts to improve websites, scan: https://webhint.io/scanner/ & https://webscan.upguard.com/

Specifically for a quick and dirty on Word Press CMS: https://hackertarget.com/wordpress-security-scan/

Or use retire.js as a Google Chrome/Brave 1.0/ extension: https://chrome.google.com/webstore/detail/retirejs/moibopkbhjceeedibkbkbchbjnkadmom

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Background of malware injecting script IP: https://urlquery.net/report/c843e000-63ab-4175-8cd4-864427eeabc3
See: https://www.virustotal.com/fr/url/dab0812fe89ebcac05a3f37cbad6effaa06802bf91b00535ae789f8d05096aa2/analysis/1528944320/
and https://www.polaris64.net/blog/cyber-security/2017/wordpress-hacks-jquery-js-script-injection
and https://otx.alienvault.com/indicator/ip/134.249.116.78
and https://cymon.io/134.249.116.78   
and https://malwarebreakdown.com/2017/04/18/hacked-sites-redirecting-users-to-various-malvertising-campaigns/
How to find the backdoor: https://wordpress.stackexchange.com/questions/256050/how-to-find-the-backdoor-of-the-hack
Re: https://www.ip-finder.me/134.249.116.78/  Your IP 172.69.54.30 has been blacklisted!
and https://www.quicksilk.com/blog/1/checkpoint-10000-hacked-wordpress-sites
and https://productforums.google.com/forum/#!topic/webmasters/02BijAFd9n4
check: https://services.normshield.com/blacklist/ip/134.249.116.78

polonus

[polonus]

Resources for vulnerabilities. Example outdated vulnerable Word Press plug-in:
https://publicwww.com/websites/wp-pagenavi+2.92/

wp-pagenavi 2.92   latest release (2.93) Update required
https://lesterchan.net/portfolio/programming/php/

polonus

[polonus]

Handy online tool for the javascript analyst (use with discern and always play nice):.

A good online deobfuscator of javascript: https://www.dcode.fr/javascript-unobfuscator
Proof of the pudding - "probieren geht ueber studieren":

Some harmless obfuscated code like wp-embed.min.js?ver=4.9.9

var _0x9024=["\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74","\x4D\x53\x49\x45\x20\x31\x30","\x69\x6E\x64\x65\x78\x4F\x66","\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E","\x6D\x61\x74\x63\x68","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x69\x66\x72\x61\x6D\x65\x2E\x77\x70\x2D\x65\x6D\x62\x65\x64\x64\x65\x64\x2D\x63\x6F\x6E\x74\x65\x6E\x74","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C","\x6C\x65\x6E\x67\x74\x68","\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74","\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x73\x75\x62\x73\x74\x72","\x72\x61\x6E\x64\x6F\x6D","\x73\x72\x63","\x23\x3F\x73\x65\x63\x72\x65\x74\x3D","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x63\x6C\x6F\x6E\x65\x4E\x6F\x64\x65","\x73\x65\x63\x75\x72\x69\x74\x79","\x72\x65\x6D\x6F\x76\x65\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x72\x65\x70\x6C\x61\x63\x65\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x77\x70","\x72\x65\x63\x65\x69\x76\x65\x45\x6D\x62\x65\x64\x4D\x65\x73\x73\x61\x67\x65","\x64\x61\x74\x61","\x73\x65\x63\x72\x65\x74","\x6D\x65\x73\x73\x61\x67\x65","\x76\x61\x6C\x75\x65","\x74\x65\x73\x74","\x69\x66\x72\x61\x6D\x65\x5B\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74\x3D\x22","\x22\x5D","\x62\x6C\x6F\x63\x6B\x71\x75\x6F\x74\x65\x5B\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74\x3D\x22","\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x65","\x6E\x6F\x6E\x65","\x73\x6F\x75\x72\x63\x65","\x63\x6F\x6E\x74\x65\x6E\x74\x57\x69\x6E\x64\x6F\x77","\x68\x65\x69\x67\x68\x74","\x6C\x69\x6E\x6B","\x61","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x72\x65\x66","\x68\x6F\x73\x74","\x61\x63\x74\x69\x76\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x6F\x70","\x44\x4F\x4D\x43\x6F\x6E\x74\x65\x6E\x74\x4C\x6F\x61\x64\x65\x64","\x6C\x6F\x61\x64"];!function(_0x9312x1,_0x9312x2){_0x9024[0];function _0x9312x3(){if(!_0x9312x9){_0x9312x9=  !0;var _0x9312x1,_0x9312x3,_0x9312x4,_0x9312x5,_0x9312x6=-1!== navigator[_0x9024[3]][_0x9024[2]](_0x9024[1]),_0x9312x7=!!navigator[_0x9024[5]][_0x9024[4]](/Trident.*rv:11\./),_0x9312x8=_0x9312x2[_0x9024[7]](_0x9024[6]);for(_0x9312x3= 0;_0x9312x3< _0x9312x8[_0x9024[8]];_0x9312x3++){if(_0x9312x4= _0x9312x8[_0x9312x3],!_0x9312x4[_0x9024[10]](_0x9024[9])){_0x9312x5= Math[_0x9024[12]]().toString(36)[_0x9024[11]](2,10),_0x9312x4[_0x9024[13]]+= _0x9024[14]+ _0x9312x5,_0x9312x4[_0x9024[15]](_0x9024[9],_0x9312x5)};if(_0x9312x6|| _0x9312x7){_0x9312x1= _0x9312x4[_0x9024[16]](!0),_0x9312x1[_0x9024[18]](_0x9024[17]),_0x9312x4[_0x9024[20]][_0x9024[19]](_0x9312x1,_0x9312x4)}}}}var _0x9312x4=!1,_0x9312x9=!1;if(_0x9312x2[_0x9024[21]]){if(_0x9312x1[_0x9024[22]]){_0x9312x4=  !0}};if(_0x9312x1[_0x9024[23]]= _0x9312x1[_0x9024[23]]|| {},!_0x9312x1[_0x9024[23]][_0x9024[24]]){if(_0x9312x1[_0x9024[23]][_0x9024[24]]= function(_0x9312x3){var _0x9312x4=_0x9312x3[_0x9024[25]];if(_0x9312x4){if(_0x9312x4[_0x9024[26]]|| _0x9312x4[_0x9024[27]]|| _0x9312x4[_0x9024[28]]){if(!/[^a-zA-Z0-9]/[_0x9024[29]](_0x9312x4[_0x9024[26]])){var _0x9312x9,_0x9312x5,_0x9312x6,_0x9312x7,_0x9312x8,_0x9312xa=_0x9312x2[_0x9024[7]](_0x9024[30]+ _0x9312x4[_0x9024[26]]+ _0x9024[31]),_0x9312xb=_0x9312x2[_0x9024[7]](_0x9024[32]+ _0x9312x4[_0x9024[26]]+ _0x9024[31]);for(_0x9312x9= 0;_0x9312x9< _0x9312xb[_0x9024[8]];_0x9312x9++){_0x9312xb[_0x9312x9][_0x9024[34]][_0x9024[33]]= _0x9024[35]};for(_0x9312x9= 0;_0x9312x9< _0x9312xa[_0x9024[8]];_0x9312x9++){if(_0x9312x5= _0x9312xa[_0x9312x9],_0x9312x3[_0x9024[36]]=== _0x9312x5[_0x9024[37]]){if(_0x9312x5[_0x9024[18]](_0x9024[34]),_0x9024[38]=== _0x9312x4[_0x9024[27]]){if(_0x9312x6= parseInt(_0x9312x4[_0x9024[28]],10),_0x9312x6> 1e3){_0x9312x6= 1e3}else {if(~~_0x9312x6< 200){_0x9312x6= 200}};_0x9312x5[_0x9024[38]]= _0x9312x6};if(_0x9024[39]=== _0x9312x4[_0x9024[27]]){if(_0x9312x7= _0x9312x2[_0x9024[41]](_0x9024[40]),_0x9312x8= _0x9312x2[_0x9024[41]](_0x9024[40]),_0x9312x7[_0x9024[42]]= _0x9312x5[_0x9024[10]](_0x9024[13]),_0x9312x8[_0x9024[42]]= _0x9312x4[_0x9024[28]],_0x9312x8[_0x9024[43]]=== _0x9312x7[_0x9024[43]]){if(_0x9312x2[_0x9024[44]]=== _0x9312x5){_0x9312x1[_0x9024[46]][_0x9024[45]][_0x9024[42]]= _0x9312x4[_0x9024[28]]}}}}else {;}}}}}},_0x9312x4){_0x9312x1[_0x9024[22]](_0x9024[27],_0x9312x1[_0x9024[23]][_0x9024[24]],!1),_0x9312x2[_0x9024[22]](_0x9024[47],_0x9312x3,!1),_0x9312x1[_0x9024[22]](_0x9024[48],_0x9312x3,!1)}}}(window,document)

original code that came out, result

'use strict';
var _0x9024 = ["use strict", "MSIE 10", "indexOf", "appVersion", "match", "userAgent", "iframe.wp-embedded-content", "querySelectorAll", "length", "data-secret", "getAttribute", "substr", "random", "src", "#?secret=", "setAttribute", "cloneNode", "security", "removeAttribute", "replaceChild", "parentNode", "querySelector", "addEventListener", "wp", "receiveEmbedMessage", "data", "secret", "message", "value", "test", 'iframe[data-secret="', '"]', 'blockquote[data-secret="', "display", "style", "none",
"source", "contentWindow", "height", "link", "a", "createElement", "href", "host", "activeElement", "location", "top", "DOMContentLoaded", "load"];
!function(_0x9312x1$jscomp$0, _0x9312x2$jscomp$0) {
function _0x9312x3$jscomp$0() {
if (!_0x9312x9$jscomp$0) {
_0x9312x9$jscomp$0 = true;
var _0x9312x1$jscomp$1;
var _0x9312x3$jscomp$1;
var _0x9312x4$jscomp$1;
var _0x9312x5$jscomp$0;
var _0x9312x6$jscomp$0 = -1 !== navigator[_0x9024[3]][_0x9024[2]](_0x9024[1]);
var _0x9312x7$jscomp$0 = !!navigator[_0x9024[5]][_0x9024[4]](/Trident.*rv:11\./);
var _0x9312x8$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[6]);
_0x9312x3$jscomp$1 = 0;
for (; _0x9312x3$jscomp$1 < _0x9312x8$jscomp$0[_0x9024[8]]; _0x9312x3$jscomp$1++) {
if (_0x9312x4$jscomp$1 = _0x9312x8$jscomp$0[_0x9312x3$jscomp$1], !_0x9312x4$jscomp$1[_0x9024[10]](_0x9024[9])) {
_0x9312x5$jscomp$0 = Math[_0x9024[12]]().toString(36)[_0x9024[11]](2, 10);
_0x9312x4$jscomp$1[_0x9024[13]] += _0x9024[14] + _0x9312x5$jscomp$0;
_0x9312x4$jscomp$1[_0x9024[15]](_0x9024[9], _0x9312x5$jscomp$0);
}
if (_0x9312x6$jscomp$0 || _0x9312x7$jscomp$0) {
_0x9312x1$jscomp$1 = _0x9312x4$jscomp$1[_0x9024[16]](true);
_0x9312x1$jscomp$1[_0x9024[18]](_0x9024[17]);
_0x9312x4$jscomp$1[_0x9024[20]][_0x9024[19]](_0x9312x1$jscomp$1, _0x9312x4$jscomp$1);
}
}
}
}
_0x9024[0];
var _0x9312x4$jscomp$0 = false;
var _0x9312x9$jscomp$0 = false;
if (_0x9312x2$jscomp$0[_0x9024[21]]) {
if (_0x9312x1$jscomp$0[_0x9024[22]]) {
_0x9312x4$jscomp$0 = true;
}
}
if (_0x9312x1$jscomp$0[_0x9024[23]] = _0x9312x1$jscomp$0[_0x9024[23]] || {}, !_0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]]) {
if (_0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]] = function(_0x9312x3$jscomp$2) {
var _0x9312x4$jscomp$2 = _0x9312x3$jscomp$2[_0x9024[25]];
if (_0x9312x4$jscomp$2) {
if (_0x9312x4$jscomp$2[_0x9024[26]] || _0x9312x4$jscomp$2[_0x9024[27]] || _0x9312x4$jscomp$2[_0x9024[28]]) {
if (!/[^a-zA-Z0-9]/[_0x9024[29]](_0x9312x4$jscomp$2[_0x9024[26]])) {
var _0x9312x9$jscomp$1;
var _0x9312x5$jscomp$1;
var _0x9312x6$jscomp$1;
var _0x9312x7$jscomp$1;
var _0x9312x8$jscomp$1;
var _0x9312xa$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[30] + _0x9312x4$jscomp$2[_0x9024[26]] + _0x9024[31]);
var _0x9312xb$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[32] + _0x9312x4$jscomp$2[_0x9024[26]] + _0x9024[31]);
_0x9312x9$jscomp$1 = 0;
for (; _0x9312x9$jscomp$1 < _0x9312xb$jscomp$0[_0x9024[8]]; _0x9312x9$jscomp$1++) {
_0x9312xb$jscomp$0[_0x9312x9$jscomp$1][_0x9024[34]][_0x9024[33]] = _0x9024[35];
}
_0x9312x9$jscomp$1 = 0;
for (; _0x9312x9$jscomp$1 < _0x9312xa$jscomp$0[_0x9024[8]]; _0x9312x9$jscomp$1++) {
if (_0x9312x5$jscomp$1 = _0x9312xa$jscomp$0[_0x9312x9$jscomp$1], _0x9312x3$jscomp$2[_0x9024[36]] === _0x9312x5$jscomp$1[_0x9024[37]]) {
if (_0x9312x5$jscomp$1[_0x9024[18]](_0x9024[34]), _0x9024[38] === _0x9312x4$jscomp$2[_0x9024[27]]) {
if (_0x9312x6$jscomp$1 = parseInt(_0x9312x4$jscomp$2[_0x9024[28]], 10), _0x9312x6$jscomp$1 > 1e3) {
_0x9312x6$jscomp$1 = 1e3;
} else {
if (~~_0x9312x6$jscomp$1 < 200) {
_0x9312x6$jscomp$1 = 200;
}
}
_0x9312x5$jscomp$1[_0x9024[38]] = _0x9312x6$jscomp$1;
}
if (_0x9024[39] === _0x9312x4$jscomp$2[_0x9024[27]]) {
if (_0x9312x7$jscomp$1 = _0x9312x2$jscomp$0[_0x9024[41]](_0x9024[40]), _0x9312x8$jscomp$1 = _0x9312x2$jscomp$0[_0x9024[41]](_0x9024[40]), _0x9312x7$jscomp$1[_0x9024[42]] = _0x9312x5$jscomp$1[_0x9024[10]](_0x9024[13]), _0x9312x8$jscomp$1[_0x9024[42]] = _0x9312x4$jscomp$2[_0x9024[28]], _0x9312x8$jscomp$1[_0x9024[43]] === _0x9312x7$jscomp$1[_0x9024[43]]) {
if (_0x9312x2$jscomp$0[_0x9024[44]] === _0x9312x5$jscomp$1) {
_0x9312x1$jscomp$0[_0x9024[46]][_0x9024[45]][_0x9024[42]] = _0x9312x4$jscomp$2[_0x9024[28]];
}
}
}
} else {
}
}
}
}
}
}, _0x9312x4$jscomp$0) {
_0x9312x1$jscomp$0[_0x9024[22]](_0x9024[27], _0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]], false);
_0x9312x2$jscomp$0[_0x9024[22]](_0x9024[47], _0x9312x3$jscomp$0, false);
_0x9312x1$jscomp$0[_0x9024[22]](_0x9024[48], _0x9312x3$jscomp$0, false);
}
}
}(window, document);

Also a good read for researchers of bad code: http://relentless-coding.org/projects/jsdetox/samples
Project: https://javadeobfuscator.com/

polonus

[polonus]

Do a connection test: http://conn.internet.nl/connection/

and a good DNS domain check site: https://www.uptrends.com/de/tools/dns

polonus

[polonus]

Spectre is going to haunt us for some considerable time: https://arxiv.org/abs/1902.05178

Is your browser vulnerable to Spectre?

Check online: https://xlab.tencent.com/special/spectre/spectre_check.html

According to their checking my browser, it is NOT vulnerable to Spectre 

[polonus]

Checking a URLHaus flagged IP, like this one: https://urlhaus.abuse.ch/url/149963/
Interesting information at shodan's,  about ports, services, vulnerabilities:
https://www.shodan.io/host/157.230.214.179
Via additional insights we landed here: https://viz.greynoise.io/ip/157.230.214.179

Name    Category    Intention    Confidence    First Seen    Last Updated
ZMAP_CLIENT   tool   Null   high   2019-02-26   2019-02-26
SSH_SCANNER_LOW   activity   Null   low   2019-02-26   2019-02-26
TELNET_SCANNER_HIGH   activity   Null   high   2019-02-23   2019-02-23
TELNET_BRUTEFORCER   worm   malicious   high   2019-02-18   2019-02-23
TELNET_BRUTEFORCER   worm   malicious   high   2019-02-18   2019-02-18
TELNET_SCANNER_HIGH   activity   Null   high   2019-02-18   2019-02-18
TELNET_WORM_HIGH   worm   malicious   high   2019-02-11   2019-02-12
TELNET_SCANNER_HIGH   activity   Null   high   2019-02-11   2019-02-12
ZMAP_CLIENT   tool   Null   high   2019-02-11   2019-02-11

See security issues: https://webscan.upguard.com/#/http://157.230.214.179/bins/apep.x86
(5) Susceptible to man-in-the-middle attacks
Server information header exposed
Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.
EXPECTED:
[does not contain version number]
FOUND:
Apache/2.2.15 (CentOS)

 Unnecessary open ports
File sharing ports open
Administration ports open
Database ports open

4 recommendations for improvement: https://webhint.io/scanner/78d6da89-0627-4623-b8ec-791b36e0cb5e
This low number of issues could lead to the assumption website was specifically created to abuse...

Unable to connect here: https://observatory.mozilla.org/analyze/157.230.214.179#ssh
Also consider this info: https://dazzlepod.com/ip/?ip_address=http%3A%2F%2F157.230.214.179 *
and this: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTU3LjIzMC4yMTQuMTc5~enc

Finally the VT results: Kaspersky detect: https://www.virustotal.com/#/url/8ae84bf6f178a29649f2aaf6d00e5382783921d1b2b40acd6f5fbdb64f089833/detection
Avast detects here: https://www.virustotal.com/#/file/d221870a49a0ab336dfa7d9387add53443e0a6a8ca4c0b6851830fb9d7652bfa/detection

IP scan downloaded files: https://www.virustotal.com/#/ip-address/157.230.214.179

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

* All info from scans like these cannot and should not be used against the particular websites in question, this is offensive conduct.

Damian

[polonus]

Dr.Web Security Space does not flag it...

Here it is not listed: Checking: -http://157.230.214.179/bins/apep.x86
Engine version: 7.0.34.11020
Total virus-finding records: 7513830
File size: 83.06 KB
File MD5: 3802fd9b541c4711d683408def246be2

-http://157.230.214.179/bins/apep.x86 - Ok (So actually Not OK).

Also checked here:

IP Address Information
Analysis Date   2019-03-02 11:30:42
Elapsed Time   4 seconds
Blacklist Status   BLACKLISTED 7/114
IP Address   157.230.214.179 Find Sites | IP Whois
Reverse DNS   Unknown
ASN   AS14061
ASN Owner   DigitalOcean, LLC
ISP   Digital Ocean
Continent   North America
Country Code   Flag (US) United States
Latitude / Longitude   40.7185 / -74.0025 Google Map
City   New York
Region   New York
IP Blacklist Report
Engine   Help
BlockedServersRBL    More info
 CBL_AbuseAt    More info
 MegaRBL    More info
 S5hbl    More info
 SURBL    More info
 AlienVault Reputation    More info
 IPSpamList    More info Bold have it flagged...
 Anti-Attacks BL    More info
 AntiSpam_by_CleanTalk    More info
 Autoshun    More info
 Backscatterer    More info
 BadIPs    More info
 Bambenek Consulting    More info
 Barracuda_Reputation_B...    More info
 BBcan177 (pfBlockerNG)    More info
 BinaryDefense Ban List    More info
 Blacklists_co    More info
 Blocklist.net.ua    More info
 BlockList_de    More info
 BloggingFusion BL    More info
 BlogSpamBL    More info
 Bogons_Team_Cymru    More info
 Booru BL    More info
 Botvrij.eu    More info
 Brute Force Blocker    More info
 Bytefarm_ch IP BL    More info
 C-APT-ure    More info
 CERT.gov.ge    More info
 CERT-PA    More info
 Charles Haley    More info
 CI Army List    More info
 CSpace Hostings IP BL    More info
 Cybercrime-tracker.net    More info
 CyberCure    More info
 Darklist.de    More info
 DataPlane.org    More info
 DNSBL_AbuseCH    More info
 DroneBL    More info
 EFnet_RBL    More info
 EmergingThreats    More info
 Ens160 SSH BL    More info
 Etnetera BL    More info
 Feodo Tracker    More info
 FSpamList    More info
 GPF DNS Block List    More info
 GreenSnow Blocklist    More info
 ImproWare Antispam    More info
 InterServer IP List    More info
 IPSum    More info
 Ip-finder.me    More info
 JustSpam_org    More info
 LAPPS Grid Blacklist    More info
 LashBack UBL    More info
 Log.Onoh.Info    More info
 Malc0de    More info
 MalwareDomainList    More info
 Matapala_org FW Log    More info
 MaxMind High Risk IPs    More info
 MKXT_NET SSH BL    More info
 Migniot SSH Bullies    More info
 Ms-ds-violation-ips    More info
 Myip.ms Blacklist    More info
 NEU SSH Black list    More info
 NiX_Spam    More info
 NoIntegrity BL    More info
 NordSpam    More info
 NoThink.org    More info
 Olegon Blocked IPs    More info
 Organized Villainy Sea...    More info
 Peter-s NUUG IP BL    More info
 PlonkatronixBL    More info
 PhishTank    More info
 Pofon_foobar_hu    More info
 ProjectHoneypot    More info
 PSBL    More info
 Ransomware Tracker    More info
 Redstout Threat IP lis...    More info
 Reuteras Scanning List...    More info
 Roquesor BL    More info
 Rutgers Drop List    More info
 S.S.S.H.I.A    More info
 SANYALnet Labs Mirai I...    More info
 Sblam    More info
 Scientific_Spam_BL    More info
 SCUMWARE    More info
 Shinmura BL    More info
 Snort IPFilter    More info
 SORBS    More info
 SpamCop    More info
 SpamEatingMonkeyBL    More info
 SpamRATS    More info
 SpyEye Tracker    More info
 SSL Blacklist    More info
 St Dominics Priory Col...    More info
 Stefan Gofferje    More info
 StopForumSpam    More info
 Suomispam_RBL    More info
 Swinog_DNSRBL    More info
 Taichung Education Cen...    More info
 TalosIntel IPFilter    More info
 Threat Crowd    More info
 Threat Sourcing    More info
 ThreatLog    More info
 Turris Greylist    More info
 URIBL    More info
 URLVir    More info
 USTC IP BL    More info
 VirBL    More info
 VXVault    More info
 WebIron_RBL    More info
 Websworld.org    More info
 WPBL    More info
 ZeuS Tracker    More info
 Xtream Codes BL    More info

pol

[polonus]

Two interesting chrome extensions I run inside Brave browser:
Javascript Errors Notifier
also check code by opening page in Browser with developer tools via Ctrl+Shift+I
Detected on this sitehttps://www.ninefornews.nl/
Re: ReferenceError: st_go is not defined
&nbsp;/:4181

Also work Retire.Js extension and on same page it flagged: jquery   1.8.3   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
all as retirable jQuery library.

Javascript could be at the root of a lot of malcode trouble, so check and doublecheck always,
especially when developing websites and maintaining websites.

Double check at: jquery   1.8.3   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   123
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers

and also at  the security part of the webhint scanner: https://webhint.io/scanner/
or validate here: https://codebeautify.org/jsvalidate

Good hunt, javascript de-buggers,

polonus (volunteer 3rd party cold reconnaissance website security analyzer and webite error-hunter)

P.S. Added is a txt file of messages and alerts in the developer's console for a shodan page,
       just skim over the contents.