Author Topic: Tests and other Media topics (Read 586639 times)

polonus · « **Reply #780 on:** April 25, 2020, 12:24:46 PM »

L.S.

Now combining this with starting from a known malicious or suspicious IP.
Random example from Mainland China: https://www.abuseipdb.com/check/58.221.84.90
& https://www.shodan.io/host/58.221.84.90 & malicious host: https://maltiverse.com/ip/58.221.84.90
where we always should check: https://www.virustotal.com/gui/url/340dbe0113dfca01b3d129e4d04438f65b3117b6fabb5a6f973aadee04cf1d5c/detection
& https://www.virustotal.com/gui/ip-address/58.221.84.90/relations
Trackers from - at least 1 third parties know you are on this webpage.
-mail.hhitcloud.cn -mail.hhitcloud.cn -> https://webhint.io/scanner/8d88c85a-5e9c-4101-a7c1-cb94db17e185
Netcraft risk status - 10 red out of 10: https://sitereport.netcraft.com/?url=http%3A%2F%2Fmail.hhitcloud.cn
Listed and blocked as with Hackers, Spyware, Botnets etc.

polonus

polonus · « **Reply #781 on:** April 25, 2020, 02:56:59 PM »

SSH BruteForce attacker, scanner -> https://www.abuseipdb.com/check/188.166.147.211
Re host: https://www.shodan.io/host/188.166.147.211
See: https://viz.greynoise.io/ip/188.166.147.211
Consider info: https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-1d
Protection -> https://www.badips.com/ from the abuse tracker's mouth: https://www.badips.com/info

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · « **Reply #782 on:** April 25, 2020, 10:01:10 PM »

We used to have these threats included on various online website scanners.
That is why we are missing this site: https://archive.is/urlquery.net
https://rules.emergingthreats.net/
Example of category: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Oisf-users Archive: https://lists.openinfosecfoundation.org/pipermail/oisf-users/ (Suricata rules)

pol

polonus · « **Reply #783 on:** April 26, 2020, 07:13:57 PM »

Example of a Trickbot EXE analysis comparison from various (re)sources:
Regex examples: https://nullsecure.org/malware-traffic-analysis-using-splunk/
On pastebin: https://pastebin.com/6U27ZZd3
On capesandbox: https://capesandbox.com/analysis/1628/
On a particular trickbot IP: https://www.abuseipdb.com/check/107.172.236.237
Similar: https://urlhaus.abuse.ch/url/347024/

polonus

polonus · « **Reply #784 on:** April 27, 2020, 12:35:53 AM »

Normally you do not get the following info directly from inside the webbrowser.

So we opened up Ctrl+Shift+I (developer console information)
together with a run of the Quick Source Viewer extension to get:

Quote

js flexbox canvas canvastext webgl no-touch geolocation postmessage websqldatabase indexeddb hashchange history draganddrop websockets rgba hsla multiplebgs backgroundsize borderimage borderradius boxshadow textshadow opacity cssanimations csscolumns cssgradients cssreflections csstransforms csstransforms3d csstransitions fontface generatedcontent video audio localstorage sessionstorage webworkers applicationcache svg inlinesvg smil svgclippaths">
<

&

Quote

INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: var script_urls = '["-https://static.shodan.io/jquery/js/jquery.js", "https:
245 bytes

INLINE: (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i

&
On CSS-5

Quote

INJECTED

INLINE: :root #content > #right > .dose > .dosesingle, :root #content > #center > .dose
120 bytes INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

What we scanned -> Results from scanning URL: -https://cdn.maptiler.com/mapbox-gl-js/v0.53.0/mapbox-gl.js
Number of sources found: 25
Number of sinks found: 2

Quote

HTML
-static.shodan.io/bootstrap/js/bootstrap.min.js
26,015 bytes, 41 nodes

Javascript 1 (external 0, inline 1)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

CSS 1 (external 0, inline 1)
INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

Tips
Quote
Shows current sources in the DOM.
"INJECTED" nodes have been injected to DOM by Javascript after initial page load.
Press B to toggle beautifier.
Press N to toggle line numbers.
Adjust options of this extension.

All valuable information as we start to analyze website code or script vulnerabilities (flaws),

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · « **Reply #785 on:** April 29, 2020, 04:05:30 PM »

Interaction of two online resources (malpedia & URLhaus).
Buzzword RATs and in particular Mozi: https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi
and https://urlhaus.abuse.ch/browse/
Read article: https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848
No existing YARA rule for Mozi, -> https://www.joesandbox.com/search?q=Mozi.m
particular example: https://www.joesandbox.com/analysis/343770
Re: https://www.joesandbox.com/analysis/223570/0/pdf
See: https://urlhaus.abuse.ch/browse.php?search=162.212.114.3
link to https://www.shodan.io/host/162.212.114.3 and then to https://viz.greynoise.io/ip/162.212.114.3
Scans for port 2323 -> As it's well-known that port 23 is very vulnerable, some people try to be „tricky" and use port 2323 for the same purpose as port 23. It's a very lazy solution and hackers know about this, that's why they usually scan this port too,

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

polonus · « **Reply #786 on:** April 29, 2020, 09:47:03 PM »

While reading this blog post at ZScaler's, I landed here to test
what has been kicked up through the Quick Source extension inside Google Chrome.

To fuzz inline scripts using this online tool: https://closure-compiler.appspot.com/home

After compiling I got "JSC_PARSE_ERROR: Parse error. In some cases, '' are treated as a '//' for legacy reasons. Removing this from your code is safe for all browsers currently in use. at line 5 character 19"
then delivering this OUTPUT of default.js

Quote

output_file_name=default.js
&js_code=%2F%2F%20ADD%20YOUR%20CODE%20HERE%0Afunction%20hello(name)%20%7B%0A%20%20alert('Hello%2C%20'%20%2B%20name)%3B%0A%7D%0Ahello('New%20user')%3B%20%3C!--%20%2F%2F%20--%3E%3C!%5BCDATA%5B%0 etc. etc. etc.

Gaining quite some insights in the field of JavaScript analysis.

polonus

polonus · « **Reply #787 on:** May 02, 2020, 03:38:01 PM »

Not malicious but here in the Hall of Shame:
Re: https://www.immuniweb.com/websec/?id=ZZv4yeuM
and https://urlscan.io/result/d73751bc-be77-4834-bc8a-b7089f662801
on hoster: https://www.shodan.io/host/88.99.247.221
Insecure:

Quote

This website is insecure.
33% of the trackers on this site could be protecting you from NSA snooping. Tell -koliee.ir to fix it.

Identifiers | All Trackers
* Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

-7ocilktl9nkh7ihXXXXXXcebb0 -wXw.koliee.ir phpsessid

Retireable jQuery libraries:

Quote

bootstrap 3.3.7 Found in -http://www.koliee.ir/js/bootstrap.min.js Vulnerability info: **
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
jquery 3.2.1.min Found in -http://www.koliee.ir/js/jquery-3.2.1.min.js Vulnerability info:
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution 123
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Blocked in the browser for me (pol): -www.smartsuppchat.com/loader.js?
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: var _smartsupp = _smartsupp || {}; _smartsupp.key = '00ff41XXXXXXXXXX54e1b6ae86
418 bytes

** bootstrap insecurity: -www.koliee.ir/css/bootstrap.min.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

font insecurity version 4.7.0

linting report hints: https://webhint.io/scanner/52b964c6-33f6-497e-b75d-1a569424149c
and especially here for this forum the 9 category of hints here:
https://webhint.io/scanner/52b964c6-33f6-497e-b75d-1a569424149c#category-security

for instance disown-opener flaw for -http://koliee.ir/blog/1395/07/20/%D9%85%D8%AF%D8%A7%D8%B1%DA%A9-%D9%84%D8%A7%D8%B2%D9%85-%D8%AC%D9%87%D8%AA-%D8%A7%D9%87%D8%AF%D8%A7%D8%A1-%DA%A9%D9%84%DB%8C%D9%87/

Word Press vuln. Wordpress - 4.6.18
7.5
WPVDB-ID:8941
WordPress <= 4.8.2 - $wpdb->prepare() Weakness
7.5
WPVDB-ID:10004
WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
7.5
WPVDB-ID:9912
WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
7.5
WPVDB-ID:9171
WordPress <= 5.0 - PHP Object Injection via Meta Data
7.5
WPVDB-ID:8730
WordPress 3.5-4.7.1 - WP_Query SQL Injection
7.5
WPVDB-ID:8905
WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
7.5
WPVDB-ID:8818
WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
6.8
WPVDB-ID:8720
WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
6.8
WPVDB-ID:9230
WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
6.8
WPVDB-ID:9913
WordPress <= 5.2.3 - Admin Referrer Validation
6.8
WPVDB-ID:8969
WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
6.5
WPVDB-ID:9100
WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
6.5
WPVDB-ID:9222
WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
6.5
WPVDB-ID:8766
WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
5.8
WPVDB-ID:9054
WordPress 3.7-4.9.4 - Use Safe Redirect for Login
5.8
WPVDB-ID:9053
WordPress 3.7-4.9.4 - Remove localhost Default
5.8
WPVDB-ID:9169
WordPress <= 5.0 - Authenticated File Delete
5.5
WPVDB-ID:8767
WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
5.5
WPVDB-ID:8734
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
5
WPVDB-ID:9909
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
5
WPVDB-ID:9911
WordPress <= 5.2.3 - JSON Request Cache Poisoning
5
WPVDB-ID:8911
WordPress 3.0-4.8.1 - Path Traversal in Unzipping
5
WPVDB-ID:8815
WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
5
WPVDB-ID:9973
WordPress <= 5.3 - Improper Access Controls in REST API
5
WPVDB-ID:8729
WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
5
WPVDB-ID:8721
WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
5
WPVDB-ID:8912
WordPress 4.4-4.8.1 - Path Traversal in Customizer
5
WPVDB-ID:8816
WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
5
WPVDB-ID:8817
WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
5
WPVDB-ID:8719
WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
5
WPVDB-ID:9174
WordPress <= 5.0 - User Activation Screen Search Engine Indexing
5
WPVDB-ID:8910
WordPress 2.9.2-4.8.1 - Open Redirect
4.9
WPVDB-ID:9006
WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
4.3
WPVDB-ID:9975
WordPress <= 5.3 - Stored XSS via Crafted Links
4.3
WPVDB-ID:8820
WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
4.3
WPVDB-ID:8819
WordPress 3.3-4.7.4 - Large File Upload Error XSS
4.3
WPVDB-ID:9910
WordPress <= 5.2.3 - Stored XSS in Style Tags
4.3
WPVDB-ID:8716
WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
4.3
WPVDB-ID:9867
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
4.3
WPVDB-ID:8913
WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
4.3
WPVDB-ID:8718
WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
4.3
WPVDB-ID:9173
WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
4.3
WPVDB-ID:9055
WordPress 3.7-4.9.4 - Escape Version in Generator Tag
4.3
WPVDB-ID:8769
WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
4.3
WPVDB-ID:8731
WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
4.3
WPVDB-ID:8914
WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
4.3
WPVDB-ID:8770
WordPress 4.2-4.7.2 - Press This CSRF DoS
4.3
WPVDB-ID:9170
WordPress <= 5.0 - Authenticated Post Type Bypass
4
WPVDB-ID:8967
WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
3.5
WPVDB-ID:9908
WordPress <= 5.2.3 - Stored XSS in Customizer
3.5
WPVDB-ID:9175
WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
3.5
WPVDB-ID:9976
WordPress <= 5.3 - Stored XSS via Block Editor Content
3.5
WPVDB-ID:8968
WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
3.5
WPVDB-ID:8768
WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
3.5
WPVDB-ID:8966
WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
3.5
WPVDB-ID:9172
WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
3.5
WPVDB-ID:8765
WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
3.5
WPVDB-ID:8714
WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
0
WPVDB-ID:8906
WordPress 2.3.0-4.7.4 - Authenticated SQL injection
0
2017 Vulners.comvulners.com

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist: OK

Externally Linked Host Hosting Provider Country
 -www.ahmand.ir
 -koliee.ir Hetzner Online GmbH Germany
 -www.jnin.ir Hetzner Online GmbH Germany
 -www.kartam.ir
 -www.kifam.ir
 -www.ahmand-group.ir
 -www.zamenn.ir Hetzner Online GmbH Germany
 -www.imbti.ir Hetzner Online GmbH Germany
 -www.vamam.ir Hetzner Online GmbH Germany
 -www.gancher.ir

polonus (volunteer 3rd party cold recon werbsite security-analyst and website error-hunter)

polonus · « **Reply #788 on:** May 02, 2020, 06:34:07 PM »

Repositories: http://www.cybercrime-tracker.net/
https://atm.cybercrime-tracker.net/index.php?x=yara
https://darkode.cybercrime-tracker.net/
Many more to be mentioned in here: https://github.com/TheHive-Project/CortexDocs/blob/master/analyzer_requirements.md
and various others mentioned there, like https://hunter.io/domain-search

Enjoy, my good friends, enjoy,

polonus

polonus · « **Reply #789 on:** May 03, 2020, 05:17:08 PM »

Now some info on combining resources to look at a specific redirect to detect a jQuery library vulnerability,
in this case on an Amazon Trust service propelled website with an event listener script flaw in leanModal.js.

Where did we stumble upon this particular redirect?
Well, here: https://urlscan.io/result/3bf58654-6a1e-4d83-9b11-aec6bbcf9d52/

Then we visited this: https://www.shodan.io/host/13.224.197.67

At Amazon Trust Services we met retiarable jQuery libraries:

Quote

Retire.js
jquery 2.1.4.min Found in -https://www.amazontrust.com/jquery-2.1.4.min.js Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution 123
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Saw inline script: -https://www.amazontrust.com/jquery-2.1.4.min.js

Event listener issue documentation for
https://askcodez.com/leanmodal-js-la-plus-simple-jquery-modal-script-depannage.html

(* code line 583 etc.) in sjcl-0.8.js

Code: [Select]

 ("a[rel*=leanModal]").leanModal({
    closeButton: ".modal_close"
});

to have again completed this going around

polonus

polonus · « **Reply #790 on:** May 07, 2020, 10:03:02 PM »

Checking on Content Security Policy, checked with CSP evaluator:
checked at -https://www.stetson.edu/software/greenpages/index.php
obj-src -> https: URI in object-src allows the execution of unsafe scripts.
Can you restrict object-src to 'none' only?
Script-src -> error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.

Quick Source

Quote

HTML
-www.stetson.edu/software/greenpages/index.php
7,820 bytes, 96 nodes

Javascript 6 (external 4, inline 2)
-www.googletagmanager.com/gtm.js?id=GTM-MTV2B2
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date
370 bytes

-ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js
-ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js
-www.stetson.edu/software/greenpages/assets/js/template.js

CSS 4 (external 2, inline 2)
-ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/themes/smoothness/jquery-ui.css
INJECTED

-www.stetson.edu/software/greenpages/assets/css/style.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

INLINE: :root #content > #center > .dose > .dosesingle, :root #content > #right > .dose
120 bytes INJECTED

On the other hand where websites seem rather secure like: -https://www.collegebeaufeuillagesaintbrieuc.ac-rennes.fr/
the hosting party for that particular IP it is on can be with many vulnerabilities: https://www.shodan.io/host/195.221.67.111

So we need two to tango securely, website on client and where it is being hosted on a webserver.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

polonus · « **Reply #791 on:** May 08, 2020, 01:19:49 AM »

Another comparison of scan results of this Hall of Shame website (F-Grade results):
https://www.immuniweb.com/websec/?id=K0O4GbwC
&
https://sitecheck.sucuri.net/results/usosweb.usos.pw.edu.pl
&
https://www.shodan.io/host/194.29.138.69

Retirable jQuery libraries: Retire.js
jquery-migrate 1.1.0.min Found in -https://usosweb.usos.pw.edu.pl/js/jquery-migrate-1.1.0.min.js Vulnerability info:
Medium jQuery Migrate 1.2.0 Released cross-site-scripting
Medium 11290 Selector interpreted as HTML
jquery-ui-dialog 1.10.1 Found in -https://usosweb.usos.pw.edu.pl/js/jquery-ui-1.10.1.custom.min.js Vulnerability info:
High CVE-2016-7103 281 XSS Vulnerability on closeText option
jquery 1.9.1.min Found in -https://usosweb.usos.pw.edu.pl/js/jquery-1.9.1.min.js Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-925
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
jquery 1.9.1 Found in -https://usosweb.usos.pw.edu.pl/js/jquery-usos/latest-bundle.min.js?v=4 Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution 123
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

See: https://observatory.mozilla.org/analyze/usosweb.usos.pw.edu.pl

SSL Server test: A grade: https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=usosweb.usos.pw.edu.pl

For kontroller.php -> https://github.com/ademkarakus/MYTicketSys/blob/master/kontroller.php
Security Overview: https://github.com/ademkarakus/MYTicketSys/security

polonus

polonus · « **Reply #792 on:** May 10, 2020, 11:22:53 PM »

Abuse IP related resources:
https://www.abuseipdb.com/check/79.137.2.105
&
https://www.shodan.io/host/79.137.2.105
&
https://viz.greynoise.io/ip/79.137.2.105
&
https://bl.isx.fr/79.137.2.105
&
https://www.virustotal.com/gui/url/51ba250152a02b5b34937b6debfa340985958021b78566c396de7234a0ba9f0b/detection (Spamhaus to detect)
4 engines to detect: https://www.virustotal.com/gui/ip-address/79.137.2.105/detection
(none) https://www.virustotal.com/gui/ip-address/79.137.2.105/relations
as well as here: https://secure.dshield.org/ipinfo.html?ip=71.137.2.105&update=yes

Flagged as attack source: https://db-ip.com/79.137.2.105
Not secure -> hxtps://ip105.ip-79-137-2.eu/

pol

polonus · « **Reply #793 on:** May 11, 2020, 12:34:48 PM »

Check your device against the Thunderbolt-hole with Thunderspy
Thunderbolt can grant attackers fysical access onto locked computers

Read (with downloads) -> https://thunderspy.io/#TODO-FIX-ME

credits due go to Björn Ruytenberg

polonus

polonus · « **Reply #794 on:** May 14, 2020, 07:07:07 PM »

Various checks on a potentially malicious IP:

https://urlscan.io/ip/108.170.29.140

https://www.abuseipdb.com/check/108.170.29.140

https://cyberwarzone.com/malicious-history-of-108-170-29-140/

https://securitytrails.com/list/ip/108.170.29.140

https://www.virustotal.com/gui/ip-address/108.170.29.140/relations

polonus