Author Topic: Tests and other Media topics  (Read 178038 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #615 on: August 27, 2018, 06:28:36 PM »
Important to-day is to know who is tracking you, and who and what to block inside your browser of choice.

Who is tracking you? Find out here: https://whotracks.me/trackers/adriver.html
Related to https://whotracks.me/trackers/aidata.io.html (Mind you several IPs may point to various Autonomous Systems),
Re: https://urlscan.io/domain/ssp.adriver.ru

Re: https://urlquery.net/queue/6866f928-a6f6-4093-aadf-81537d7faeab

https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=eDAxLnxbI3x0fC5bXWAwLmdbZjxwWyM9fFBQTntYVVMmWyM9NDE0Njg3NTA2NzkwMzEyOTU1OCZifF5rPXwjfVtWe30%3D~enc

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #616 on: September 02, 2018, 12:24:21 AM »
Interesting DNS, SSL/TLS, HTTP and HTML results scanner, example:
https://www.htmlyse.com/htmlyse/rules.quantcount.com

Enjoy my friends, enjoy,

A tester online (do not abuse) - http://iseebug.com/XSSOnline/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #617 on: September 04, 2018, 05:40:20 PM »
Checking for PHP vulnerabilities, mainly through JavaScript:
What we checked? -> echo"%20<a%20href=$userfile_name><center><b>Sucess%20Upload%20:D%20==>%20$userfile_name</b></center></a>"; from where: hxtps://github.com/Moham3dRiahi/XAttacker/blob/master/XAttacker.php

Analysis at http://www.devbug.co.uk/# produced Line 21: Cross-Site Scripting (XSS) in 'echo' via '$userfile_name'

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #618 on: September 16, 2018, 07:29:44 PM »
Handy shortcuts for Google Chrome when your cursor has been hacked through fraudulous helpdesk malware.
ALT-TAB to return to the desktop.
ALT-F4 and close Command-W
Esc stops page from loading

Various Google Chrome shortcuts that everyone that only sweaps and clicks should learn by heart:
https://www.computerhope.com/shortcut/chrome.htm

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #619 on: September 21, 2018, 02:50:08 PM »
1500 websites hackable with the latest WordPress helpdesk fraud attack:
Read: http://labs.sucuri.net/?note=2018-09-18

Example of a query for vulnerable websites:
https://publicwww.com/websites/%22String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+115%2C+111%2C+109%22/

-publicwww.com is a special search engine to search for compromised and/ or compromizable websites, a bit like shodan.
For instance: https://exploits.shodan.io/?q=String.fromCharCode 
Do not go there, when you plan evil, as all you do is being logged.  :D

But for security researchers it is a trove of treasures.  ;)  8)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #620 on: September 28, 2018, 03:24:57 PM »
Were your mail accounts ever been compromised?
Find out here: https://monitor.firefox.com/scan

For one of my mail accounts this showed up, have long changed passwords in the mean time.
Quote
Example: Malwarebytes
Breach date:November 15, 2014
Compromised accounts:111,623
Compromised data:Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity

Breach data are being provided by: https://www.haveibeenpwned.com/

N.B. If you feel uncomfortable scanning, do not!
I know of several users here on the forums, that won't risk going to haveibeenpwned dot com for instance.


Damian aka polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #621 on: September 29, 2018, 10:35:41 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #622 on: October 05, 2018, 10:56:43 PM »
Abuse IP base: https://www.abuseipdb.com/check/5.188.10.76
Bad ip resource to check against: https://www.bytefarm.ch/fail2ban/
Reporting: ip   hostname   tor   country   filter(s)   first reported   last reported   hits   reported by'..'
-5.188.10.76   -5.188.10.76   n    [RU] Russian Federation   sshd   06.06.2018 15:46.03 GMT+0200   13.09.2018 00:08.37 GMT+0200   11   2 host(s)

On belated reporting read: https://abuse.ch/blog/measuring-reaction-time-of-abuse-desks/

and check: https://urlhaus.abuse.ch/browse.php?search=5.188.10.76

Another interesting SSL resource bad certs: https://sslbl.abuse.ch/

Incidents as detected on AS: (random example) https://abuse.shaunc.com/incidents/about/AS16276/

A fail2ban repository from a home address: https://jackfarrand.uk/admin/

Another resource: https://packettotal.com/app/analysis?id=7b770d9a70d575f66e8778b0bb5bdf8e&name=conn

list of bruteforcers: https://home.nuug.no/~peter/bruteforcers.txt

attackers going on: https://attackers.ongoing.today/httpd.txt

another drop of attackers: https://report.cs.rutgers.edu/DROP/attackers

SSH honeypot: https://otx.alienvault.com/pulse/5b8fd4d62f7c866a98fcf80b

spam emitters: https://www.megarbl.net/asncheck/AS16276

POWER DNS queries for non-existent records for existing domains:
https://ns1.fast.qa/?ring=nxdomain-queries

So some lists abuse galore  >:( :D

polonus
« Last Edit: October 06, 2018, 12:13:38 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #623 on: October 14, 2018, 08:47:10 PM »
Links to check on spam-IPs:
Found at: https://github.com/stamparm/ipsum  in it's Hall of Shame.
Checked for higher miniFraud Score: https://www.maxmind.com/en/high-risk-ip-sample/171.25.193.25
Forum spam checker: https://www.stopforumspam.com/ipcheck/171.25.193.25
At project honeypot's: https://www.projecthoneypot.org/ip_171.25.193.25
Green Snow list: https://greensnow.co/view/171.25.193.25
WatchGuard RepAuthority's list check: http://www.reputationauthority.org/lookup.php?ip=tor-exit5-readme.dfri.se
In beta: http://beta.brightcloud.com/tools/url-ip-lookup.php

Enjoy, my friends, enjoy,

polonus

P.S. And to say with my good friend, Pondus, it is always a good idea to check IPs against VT:
https://www.virustotal.com/#/ip-address/171.25.193.25

Damian

« Last Edit: October 14, 2018, 09:34:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #624 on: October 17, 2018, 11:48:01 PM »
Known CMS still accept older PHP versions and accordingly vulnerabilities (Drupal, Joomla, Word Press)

Check your code online at the PHPStan Playground...
checked vulnerable code like
Quote
<?
session_start();
include (“../config.php”);
echo $loggedin;

if ($loggedin != “1”){
header(“Location: http://www.google.com”); /* Redirect browser */

}

{
echo “Will this code Get executed?”;
}?>
Where we stumble upon
Quote
unexpected T_STRING, expecting ';'
in line 12 - While testing a web application today, i noticed an unusual 302 HTTP response. Normally a 302 response just has a header and no html code, becuase its meant to be redirecting you to the page cited in the ‘Location’ field of the http header.� The 302 response had the html code which will be presented to the authenticated admin user, but, we didnt have the admin credentials. So, how are we seeing this code. After analyzing the 302 redircect response, we concluded that this was the result of insecure coding. Info credits go to Tesjawi.

So not escaping quotes in the string, of course it's not going to work.
Just add a \ before the " in the <input> tag and you are good to go.
(pol).

Check with PHP malware finder: https://github.com/nbs-system/php-malware-finder/

Enjoy, my good friends, enjoy, and remember PHP often can be inherently insecure.

Encrypted with Yellowpipe's Code Source Encrypter it looks like
Quote
<script>
<!--
document.write(unescape("%3C%3F%0Asession_start%28%29%3B%0Ainclude%20%28%u201C../config.php%u201D%29%3B%0Aecho%20%24loggedin%3B%0A%0Aif%20%28%24loggedin%20%21%3D%20%u201C1%u201D%29%7B%0Aheader%28%u201CLocation%3A%20http%3A//www.google.com%u201D%29%3B%20/*%20Redirect%20browser%20*/%0A%0A%7D%0A%0A%7B%0Aecho%20%u201CWill%20this%20code%20Get%20executed%3F%u201D%3B%0A%7D%3F%3E"));
//-->
</script>
  file: 368a84ccc831bea70c7649b7ce50c0abea9c4557: 412 bytes
     file: c01a81e4621b7a3059b2257cffb9f2c743efd250: 223 bytes

Decoded Files
368a/84ccc831bea70c7649b7ce50c0abea9c4557 from script (412 bytes, 4 hidden) download
coded source: c01a/81e4621b7a3059b2257cffb9f2c743efd250 from script (223 bytes)

polonus
« Last Edit: October 17, 2018, 11:59:41 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #626 on: October 22, 2018, 09:16:28 PM »
A not so known browser leak is known as TLS session resumption tracking,
set per default for seven days in stead of the 10 hours several known security researchers propose. 

This tracking is even more of a problem on Android devices ,
 where the browser sessions could stay open much longer.

Both facebook and google to abuse this security protocol for (third party) user tracking and moniotoring.
When the user blocks an ad-tracking way, they find a way around this either this or that way.
It is just a big uneven cat and mouse game.

Read: Lees: https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/

But there many more ways to track someone through a browser at the cost of privacy.

Test: Notable testing websites:

https://browserleaks.com/

https://whoer.net/

https://ip-check.info/?foundHTTPS=true

https://panopticlick.eff.org/

https://www.doileak.com/'

Also read here: https://www.reddit.com/r/privacy/comments/8221hn/tob_ios_browser_vs_duck_duck_go_ios_browser_vs/
Do not understand why some block reddit now as being a form of  "fake news"?

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #627 on: October 25, 2018, 12:38:51 AM »
Feeds: https://app.cymon.io/feeds  with various malware trackers.

There is loads, like this one: https://urlhaus.abuse.ch/browse/

polonus
« Last Edit: October 25, 2018, 12:43:54 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Re: Tests and other Media topics
« Reply #628 on: October 25, 2018, 12:33:49 PM »
Multiple 0-days in Magecart: https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/

An older object injection exploit from 2014 was again being used:
Re: https://websec.wordpress.com/2014/12/08/magento-1-9-0-1-poi/

And dangerous PHP function was being abused: http://php.net/manual/en/function.unserialize.php

Check:  https://www.functions-online.com/unserialize.html

polonus
« Last Edit: October 25, 2018, 12:38:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30833
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!