Author Topic: Tests and other Media topics  (Read 318913 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #855 on: November 22, 2020, 12:06:21 AM »
Various resources used at covert.io threat intelligenge:
Quote
IOC Repositories
These repo’s contain threat intelligence generally updated manually when the respective orgs publish threat reports.

https://github.com/aptnotes/data
https://github.com/citizenlab/malware-indicators
https://github.com/da667/667s_Shitlist
https://github.com/eset/malware-ioc
https://github.com/fireeye/iocs
https://github.com/Neo23x0/signature-base/tree/master/iocs
https://github.com/pan-unit42/iocs
https://github.com/stamparm/maltrail/tree/master/trails/static/malware
https://github.com/stamparm/maltrail/tree/master/trails/static/suspicious
IOC Feeds
These URLs are data feeds of various types from scanning IPs from honeypots to C2 domains from malware sandboxes, and many other types. They were compiled from several sources, including (but not limited to): 1, 2, 3, 4, 5, 6. They are in alphabetical order.

http://antispam.imp.ch/wormlist
http://app.webinspector.com/recent_detections
http://atrack.h3x.eu/api/asprox_suspected.php
http://autoshun.org/files/shunlist.csv
http://blocklist.greensnow.co/greensnow.txt
http://botscout.com/last.htm
http://botscout.com/last_caught_cache.htm
http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
http://cinsscore.com/list/ci-badguys.txt
http://cybercrime-tracker.net/all.php
http://cybercrime-tracker.net/ccam.php
http://cybercrime-tracker.net/ccpmgate.php
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
http://data.netlab.360.com/feeds/dga/dga.txt
http://data.netlab.360.com/feeds/ek/magnitude.txt
http://data.netlab.360.com/feeds/ek/neutrino.txt
http://data.netlab.360.com/feeds/mirai-scanner/scanner.list
http://data.phishtank.com/data/online-valid.csv
http://dns-bh.sagadc.org/dynamic_dns.txt
http://feeds.dshield.org/top10-2.txt
http://hosts-file.net/?s=Browse&f=2014
http://labs.snort.org/feeds/ip-filter.blf
http://labs.sucuri.net/?malware
http://lists.blocklist.de/lists/all.txt
http://malc0de.com/bl/BOOT
http://malc0de.com/bl/IP_Blacklist.txt
http://malc0de.com/rss/
http://malwaredb.malekal.com/
http://malwaredomains.lehigh.edu/files/domains.txt
http://malwareurls.joxeankoret.com/normal.txt
http://mirror2.malwaredomains.com/files/immortal_domains.txt
http://mirror2.malwaredomains.com/files/justdomains
http://multiproxy.org/txt_all/proxy.txt
http://openphish.com/feed.txt
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
http://osint.bambenekconsulting.com/feeds/c2-masterlist.txt
http://osint.bambenekconsulting.com/feeds/dga-feed.txt
http://ransomwaretracker.abuse.ch
http://report.rutgers.edu/DROP/attackers
http://reputation.alienvault.com/reputation.data
http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules
http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules
http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
http://sblam.com/blacklist.txt
http://support.clean-mx.de/clean-mx/xmlviruses.php
http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
http://tracker.h3x.eu/api/sites_1day.php
http://virbl.org/download/virbl.dnsbl.bit.nl.txt
http://vmx.yourcmc.ru/BAD_HOSTS.IP4
http://vxvault.net/URL_List.php
http://vxvault.siri-urz.net/URL_List.php
http://vxvault.siri-urz.net/ViriList.php
http://www.autoshun.org/files/shunlist.csv
http://www.blocklist.de/lists/apache.txt
http://www.blocklist.de/lists/asterisk.txt
http://www.blocklist.de/lists/bots.txt
http://www.blocklist.de/lists/courierimap.txt
http://www.blocklist.de/lists/courierpop3.txt
http://www.blocklist.de/lists/email.txt
http://www.blocklist.de/lists/ftp.txt
http://www.blocklist.de/lists/imap.txt
http://www.blocklist.de/lists/ircbot.txt
http://www.blocklist.de/lists/pop3.txt
http://www.blocklist.de/lists/postfix.txt
http://www.blocklist.de/lists/proftpd.txt
http://www.blocklist.de/lists/sip.txt
http://www.blocklist.de/lists/ssh.txt
http://www.botvrij.eu/data/ioclist.url
http://www.ciarmy.com/list/ci-badguys.txt
http://www.dshield.org/ipsascii.html?limit=10000
http://www.falconcrest.eu/IPBL.aspx
http://www.joewein.net/dl/bl/dom-bl-base.txt
http://www.joewein.net/dl/bl/dom-bl.txt
http://www.malware-traffic-analysis.net
http://www.malwareblacklist.com/showAllMalwareURL.php?userName=Guest&sessionID=&downloadOption=0
http://www.malwaredomainlist.com/hostslist/ip.txt
http://www.malwaredomainlist.com/updatescsv.php
http://www.malwaregroup.com/ipaddresses
http://www.michaelbrentecklund.com/whm-cpanel-cphulk-banlist-whm-cpanel-cphulk-blacklist/
http://www.mirc.com/servers.ini
http://www.nothink.org/blacklist/blacklist_malware_dns.txt
http://www.nothink.org/blacklist/blacklist_malware_http.txt
http://www.nothink.org/blacklist/blacklist_malware_irc.txt
http://www.nothink.org/blacklist/blacklist_snmp_2015.txt
http://www.nothink.org/blacklist/blacklist_ssh_day.txt
http://www.projecthoneypot.org/list_of_ips.php
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
http://www.stopforumspam.com/downloads/listed_ip_1_all.zip
http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt
http://www.urlvir.com/export-hosts/
http://www.voipbl.org/update/
https://atlas.arbor.net/summary/domainlist
https://dataplane.org/sshclient.txt
https://dataplane.org/sshpwauth.txt
https://disconnect.me/lists/malvertising
https://disconnect.me/lists/malwarefilter
https://dragonresearchgroup.org/insight/sshpwauth.txt
https://dragonresearchgroup.org/insight/vncprobe.txt
https://feodotracker.abuse.ch
https://github.com/stamparm/maltrail/blob/master/trails/static/mass_scanner.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/blob/master/list.txt
https://isc.sans.edu/feeds/daily_sources
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/topips.txt
https://isc.sans.edu/ipsascii.html
https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian
https://malc0de.com/bl/ZONES
https://malsilo.gitlab.io/feeds/dumps/url_list.txt
https://malwared.malwaremustdie.org/rss.php
https://malwared.malwaremustdie.org/rss_bin.php
https://malwared.malwaremustdie.org/rss_ssh.php
https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt
https://onionoo.torproject.org/details?type=relay&running=true
https://palevotracker.abuse.ch
https://paste.cryptolaemus.com/feed.xml
https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset
https://raw.githubusercontent.com/futpib/policeman-rulesets/master/examples/simple_domains_blacklist.txt
https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-c2-iocs.txt
https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules
https://secure.dshield.org/ipsascii.html?limit=1000
https://sslbl.abuse.ch
https://techhelplist.com/maltlqr/reports/dyreza.txt
https://techhelplist.com/pastes
https://techhelplist.com/spam-list
https://threatfeeds.io/
https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
https://urlhaus.abuse.ch/downloads/csv/
https://www.badips.com/get/list/any/2?age=7d
https://www.circl.lu/doc/misp/feed-osint/
https://www.dan.me.uk/torlist/
https://www.hidemyass.com/vpn-config/l2tp/
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://www.maxmind.com/en/anonymous_proxies
https://www.maxmind.com/en/high-risk-ip-sample-list
https://www.openbl.org/lists/base.txt
https://www.openbl.org/lists/base_all_ftp-only.txt
https://www.openbl.org/lists/base_all_http-only.txt
https://www.openbl.org/lists/base_all_smtp-only.txt
https://www.openbl.org/lists/base_all_ssh-only.txt
https://www.packetmail.net/iprep.txt
https://www.packetmail.net/iprep_CARISIRT.txt
https://www.packetmail.net/iprep_ramnode.txt
https://www.trustedsec.com/banlist.txt
https://www.turris.cz/greylist-data/greylist-latest.csv
https://zeustracker.abuse.ch


Also interesting (example): https://firewallban.dynu.net/search.php?submit=Search&search=2.57.122.96

Search engine to search for script snippet examples: https://publicwww.com/?q=

enjoy, my good friends, enjoy and have a good week,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #856 on: November 30, 2020, 12:28:35 PM »
L.S.

If your origin servers are exposed attackers can attack them directly and bypass any sort of protection you may have. Many large CDN companies have bad design which allows for serious security vulnerabilities.

Check website here: https://bitmitigate.com/origin-exposure-test.html?name=

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #857 on: December 02, 2020, 12:03:11 AM »
Check your access control to guarantee a secure connection between website and webserver behind it. Or you could find yourself in such a situation, where you find direct access to

Quote
{"099.php":{"aliases":{},"mappings":{},"settings":{"index":{"creation_date":"1606435124551","uuid":"BJaLkowESMCNLZr4WAlEHg","number_of_replicas":"1","number_of_shards":"5","version":{"created":"2030399"},"ajax":"true&a=Php&p1=die(@md5(S3pt3mb3r));"}},"warmers":{}}}
from a particular Rackspace IP address ending in /099.php ...
(weak PHP example found with Shodan.io)

A scan with the webbug tool produces this information:
Quote
HTTP/1.1 200 OK
Date: Wed, 02 Dec 2020 04:00:05 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 320
Access-Control-Allow-Origin: *
Connection: close

{
  "name" : "Super Sabre",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
    "build_timestamp" : "2016-05-17T15:40:04Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}

Attackers may use various special search methods on Google (so-called dorks and queries on shodan.io to find low hanging fruit on the Interwebz to compromize and worse. 
Be the first party to scan, as malcreants may already have scanned you.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #858 on: December 08, 2020, 02:06:03 PM »
Another fine resources site lost to us?

Not to be reached - isithacked.com - scan site to look at signs of Cloaking, spammy links etc.
Has it now also been discontinued? Re: https://mxtoolbox.com/SuperTool.aspx?action=mx%3aisithacked.com&run=toolpage
Re: https://sitereport.netcraft.com/?url=http%3A%2F%2Fwww.isithacked.com
https://www.virustotal.com/gui/ip-address/107.170.38.188/relations

What happened at the hoster, Digitalocean? Anyone.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #859 on: December 08, 2020, 03:12:51 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #860 on: December 21, 2020, 04:25:23 PM »
Time to test security of your Word Press CMS here: https://hackertarget.com/wordpress-security-scan/
or scan with Sucuri's. Look for oudated plug-in software, as attackers abuse domains there to spread malware:
https://blog.sucuri.net/2020/12/the-dangers-of-using-abandoned-plugins-themes.html  (info credits: Krasimir Kronov).

Remote code execution / file upload lek in Wordpress plugin Contact Form 7 [CVE-2020-35489],
read: https://contactform7.com/2020/12/17/contact-form-7-532/
Site of researcher that found it: https://www.jinsonvarghese.com/
Astra-site: https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #861 on: December 30, 2020, 02:45:36 PM »
Word Press is found on 40% of websites, Word Press CMS is a PHP-based CMS.

Check PHP using SNYK:
Re: https://snyk.io/vuln/npm:php_codesniffer_master
& https://support.snyk.io/hc/en-us/articles/360003817397-Snyk-for-PHP

Browser- extension: vulners webscanner alerts to vulnerabilities.
PHP vulners database: https://vulners.com/php

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #862 on: December 31, 2020, 06:28:14 PM »
Then it is a pity this website failed a low impact test: -https://code313detroit.org/

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

Plugin   Update Status   About
js_composer    Unknown   
nd-shortcodes    Unknown   latest release (6.3)
https://nicdark.com
nd-projects    Unknown   latest release (1.3)
https://nicdark.com
contact-form-7    Unknown   latest release (5.3.2)
https://contactform7.com/
revslider    Unknown   
woocommerce 3.0.7   Warning   latest release (4.8.0)
https://woocommerce.com/
slider-revolution 6.2.2    Unknown   
nd-donations    Unknown   latest release (1.7)
https://nicdark.com
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   code313   code313
ID: 2   garybeaver   Gary Beaver
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

However been given the all clean bill by DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

Bad for our future coders, big names for charity should do a better job in leadership. Hey Google, Amazon, Verizon, Microsoft?
A very happy and healthy New Year 2021 to you all, whishes,

Damian aka polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #863 on: January 04, 2021, 03:52:34 PM »
Is this analyzer thrustworthy: https://www.easycounter.com/report/pamcdn.avast.com ?

Does this work: https://sur.ly/web-safety-tools (as a google extension).

polonus
« Last Edit: January 04, 2021, 04:24:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32897
  • malware fighter
Re: Tests and other Media topics
« Reply #864 on: January 18, 2021, 10:08:38 PM »
Another real time website privacy inspector:
https://themarkup.org/blacklight

Enjoy, my good friends, enjoy,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!