Author Topic: Tests and other Media topics  (Read 579268 times)

0 Members and 20 Guests are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #675 on: May 22, 2019, 09:12:19 PM »
Fine resources: http://www.scada-radar.com/protocol.php?protocol=BACnet/IP
This in the light of Delphi malcode dropper like malicious protocol.php (analysis of Zebrocy dropper)

But the website we visit here with that scanner needs some jQuery libraries to be retired:
Quote
Retire.js
bootstrap   3.3.4   Found in http://www.scada-radar.com/js/bootstrap.min.js
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   
jquery   1.11.3   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
jquery   1.8.2   Found in http://www.scada-radar.com/js/jquery_1_8_2.min.js
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS,
and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

only minor improvment site recommendations, 16 in all: https://webhint.io/scanner/a1cf7fd6-fd7d-4233-ba98-e17de6b6c7e1

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: May 22, 2019, 09:16:15 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #676 on: June 17, 2019, 10:32:30 PM »
Check sites asgainst: https://urlhaus.abuse.ch/url/209727/  detection
Version does not appear to be latest 5.2.1 - update now.  Rep. check warning -
checked at https://hackertarget.com/wordpress-security-scan/
checked IP for relations: https://www.virustotal.com/gui/ip-address/150.95.52.111/relations
checked at sucuri's: https://sitecheck.sucuri.net/results/https/blogmason.mixh.jp
checked for web app attacks, brute force attacks etc.: https://www.abuseipdb.com/check/150.95.52.111
checked against phishing lists: https://checkphish.ai/ip/150.95.52.111
submitted hdere: https://urlscan.io/result/fddcd2bb-841c-4c44-bbcc-a7f276c3cb73
check on IP: https://censys.io/ipv4/150.95.52.111

enjoy,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #677 on: June 23, 2019, 12:07:11 AM »
Malicious JA3 fingerprints to fingerprint SSL/TLS client applications. In the best case, you can use JA3 to identify malware traffic that is leveraging SSL/TLS.
However mind that these fingerprints have not been tested against known good traffic yet and may cause a significant amount of FPs!

Find them here: https://sslbl.abuse.ch/ja3-fingerprints/   compare with findings here: https://urlhaus.abuse.ch/browse/

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #678 on: June 23, 2019, 10:35:41 PM »
Your browser knows all about you, all and everything.
What is going on under the hood?


Read this extensive paper by Sally Vandeven:
https://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

also read: https://en.wikipedia.org/wiki/Public-key_cryptography

And again polonus says, check and test it: http://codefromthe70s.org/certcheck.aspx

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #679 on: June 27, 2019, 08:22:54 AM »
Mozilla makes online tracking visable.

Give those surveillance capitalistic trackers something to chew on.

See: https://trackthis.link/

It does not bring back the happy days of freebee Interwebz, like we knew it once,
the happy days before vendor lock-in came to hold us all as hostages,
but on the fringes of the existing commercial internet,
innovation will help us all against allmighty Big Brother Data Grabbers.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #681 on: July 05, 2019, 07:42:13 PM »
Websites that frustrate the use of alternative browsers:
https://www.theregister.co.uk/2002/10/25/alternative_browser_villains_named/

Banks and Linux Browsers - a (in)compatibility oversight:
http://www.starnix.com/banks-n-browsers.html

Mozilla Browser Doh policy was attacked by regulators because it helps in circumventing UK provider filters,
Mozilla now is seen as a kind of a "villain"browser by UK providers.
The only reason is because providers now have to look for alternative ways to make their content filters function.

polonus
« Last Edit: July 05, 2019, 07:44:11 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #682 on: July 11, 2019, 05:01:56 PM »
Privacy issues and security issues are often related.

How to scan for them?

1. Rendering as a normal browser would - extensive report:
https://webcookies.org/cookies/dmstreeremoval.com.au/27913092?662402

2. 2 vulnerable and retirable jQuery libraries detected:
https://retire.insecurity.today/#!/scan/875a8bdadc0d2f7b324b9f54c858fd715e6306b13b290027a63c362f60401a12

3. Data Layer check: 2{data}  Show (2)
{
   "0": "config",
   "1": "UA-109165814-1"
}
&
{
   "0": "js",
   "1": "2019-07-11T14:12:41.413Z"
}

4. Trackers:    Track   From   To   Action   
   
-dmstreeremoval.com.au -dmstreeremoval.com.au

-dmstreeremoval.com.au -dmstreeremoval.com.au

-dmstreeremoval.com.au -dmstreeremoval.com.au

-fonts.googleapis.com -fonts.googleapis.com

- fonts.gstatic.com

5. Always considerate these scan results: https://www.virustotal.com/gui/url/9fafcfbfa5bdd5456d5c525427d8808cb17b9d8c09697cafd03c5a1bbcb80903

6. Overall warnings: https://privacyscore.org/site/141978/

cache control, x-frame-options, content-security-policy headers not set or not following best policies.
No form autocomplete settings set. source RECX Security Analyser extension results.

7. 1 out of 10 risk on https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fdmstreeremoval.com.au%2F

8. detections on IP relations: https://www.virustotal.com/gui/ip-address/162.243.29.224/relations

9. Mainly check for cloaking and weird redirects, not here: http://isithacked.com/check/https%3A%2F%2Fdmstreeremoval.com.au%2F

10. DOM-XSS results:
Quote
Results from scanning URL: -https://dmstreeremoval.com.au
Number of sources found: 4
Number of sinks found: 249

Results from scanning URL: -https://dmstreeremoval.com.au/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 32
Number of sinks found: 13

Results from scanning URL: -https://dmstreeremoval.com.au/wp-content/plugins/photoswipe-masonry/photoswipe-masonry.js?ver=4.9.8
Number of sources found: 14
Number of sinks found: 4

Results from scanning URL: -https://dmstreeremoval.com.au/wp-content/plugins/photoswipe-masonry/photoswipe-dist/photoswipe-ui-default.min.js?ver=4.9.8
Number of sources found: 12
Number of sinks found: 2

Results from scanning URL: -https://dmstreeremoval.com.au/wp-includes/js/jquery/ui/core.min.js?ver=1.11.4
Number of sources found: 44
Number of sinks found: 33

Results from scanning URL: -https://dmstreeremoval.com.au/wp-content/plugins/kiwi-logo-carousel/third-party/jquery.bxslider/jquery.bxslider.js?ver=4.9.8
Number of sources found: 12
Number of sinks found: 12

11. Also a scan for PHP driven Word Press CMS at https://hackertarget.com/wordpress-security-scan/
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK
Cisco Talos Blacklist: OK
Web Server:
Apache/2.4.6
X-Powered-By:
PHP/7.1.8
IP Address:
-162.243.29.224
Hosting Provider:
DigitalOcean 
Shared Hosting:
276 sites found on -162.243.29.224

12. Outdated software on webserver and for Word Press and missing security headers qualified a a High Risk site at:
https://sitecheck.sucuri.net/results/https/dmstreeremoval.com.au

13. Total of 13 direct threats detected here: https://app.upguard.com/webscan#/https://dmstreeremoval.com.au
Security Checks for -https://dmstreeremoval.com.au
Quote
(2) Vulnerabilities can be uncovered more easily
(4) Susceptible to man-in-the-middle attacks
Vulnerabilities
(2) Emails can be fraudulently sent
(3) Unnecessary open ports
DNS is susceptible to man-in-the-middle attacks

14. https://urlscan.io/result/9cf81b77-d79f-4aa5-9d65-ce5be4f715c8

Verdict non-malicious non-suspicious site, outdated software and server software, so High Risk website,
various security issues and missing best policies being implemented. Looks good, less secury.
As security is often a last resort thing in website developing and also maintaining websites.

Enjoy checking your websites, folks,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: July 11, 2019, 05:55:07 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #684 on: July 25, 2019, 12:24:44 AM »
Rather specific and fully random source: https://libraryofbabel.info/
A treat for full encryption lovers. See for instance: https://libraryofbabel.info/anglishize.cgi?

Info credits go to Sabroni at https://forums.theregister.co.uk/forum/all/2019/07/23/us_encryption_backdoor/

When nobody has full encryption only cybercriminals will have. Think of it, folks.
Do you want to hand over your general key(s), please  :(

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #685 on: August 08, 2019, 09:56:22 AM »
Resource Blocked Servers: https://www.blockedservers.com/
because of http://gladesoft.com:8080/logs & https://urlhaus.abuse.ch/url/223109/ etc.
10 red out of 10 Netcraft risk: https://toolbar.netcraft.com/site_report?url=http%3A%2F%2F218.61.16.142
7 detected URLs: https://www.virustotal.com/gui/ip-address/218.61.16.142/details
Blocked because associated with a trojan: Updated by 54.70.118.129 (Amazon Boardman) 1 week, 6 days ago
tcpwrapped http       Microsoft-IIS/6.0 (Chinese mainland mono-culture server).
On many block- and blacklists. Various online/offline threats: https://urlhaus.abuse.ch/host/218.61.16.142/

Another example: https://www.blockedservers.com/blocked/ipv4/51.77.95.123/  status clear
See: https://urlhaus.abuse.ch/url/223102/  conflicting results?

More resources, for Africa: https://threathaus.com/browse 

For Mirai: https://mirai.security.gives/index.php?search=109.97.51.62
http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt
Poor Roque: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/ciarmy.ipset

Also consider: https://nl.ipshu.com/whois_ipv4/115.193.112.213 (random example)
also found here: https://malwareworld.com/textlists/suspiciousIPs.txt
and here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/alienvault_reputation.ipset
and http://server3.pubres.cz/webalizer/webalizer.current
Compare: https://www.joesandbox.com/analysis/49409/0/html#domains
and https://www.abuseipdb.com/check/37.21.44.76
See: https://github.com/zabojcaspamu/spamassassin_rules/blob/master/local.cf.BL.ZABOJCASPAMU

Various resources: https://zeltser.com/malicious-ip-blocklists/


polonus
« Last Edit: August 08, 2019, 07:30:34 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #686 on: August 08, 2019, 07:42:32 PM »
Address still launching malware:
Quote
2019-08-08 17:27:05   -http://patogh-7f.rozblog.c ...   79.127.127.68   IR   JS/CoinMiner.AHpotentiallyunwantedapplication
Re: https://otx.alienvault.com/indicator/ip/79.127.127.68  &  https://www.threatminer.org/host.php?q=79.127.127.68

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #688 on: August 12, 2019, 12:00:03 AM »
website checks and crypt check:
https://urlscan.io/result/49f31b2f-0b76-4977-973c-131aa0124576/
https://urlscan.io/domain/www.esri.com
https://securityheaders.com/?q=www.esri.com&followRedirects=on
https://observatory.mozilla.org/analyze/www.esri.com#third-party & https://observatory.mozilla.org/analyze/www.esri.com
https://tls.imirhil.fr/https/www.esri.com
https://webhint.io/scanner/d4503ab6-e6ba-4664-8cd8-c00794392d9f#category-Security
Retire.js
jquery   1.12.4   Found in -https://www.esri.com/etc/clientlibs/esri-sites/components.a85066077ee6f134710aeddea8215009.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   

A parser-blocking, cross site (i.e. different eTLD+1) script, <URL>, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See <URL> for more details. On Avast Secure Browser with Shift + Ctrl + I.
Why? Read here: https://developers.google.com/web/updates/2016/08/removing-document-write

polonus
« Last Edit: August 12, 2019, 12:03:02 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!