Tests and other Media topics

[polonus]

Now apply this onto some IP addresses found in this report:
https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all/

As with most attack campaigns, the attacker frequently rotates IP addresses. At the moment, we are seeing attacks from these top 10 attacking IP addresses.

5.187.34.95 -> https://www.shodan.io/host/5.187.34.95
91.121.106.106 -> https://www.shodan.io/host/91.121.106.106  (see all the vulners there)
94.23.3.130 -> https://www.shodan.io/host/94.23.3.130 (see all the vulners there)
54.36.197.5 -> https://www.shodan.io/host/54.36.197.5 (see all the vulners there)
46.37.172.252 -> https://www.shodan.io/host/46.37.172.252 (with a great many vulnerabilities)
104.238.222.178 -> https://www.abuseipdb.com/check/104.238.140.243
2001:41d0:2:482:: -> https://www.abuseipdb.com/check/2001:41d0:2:482::
104.236.133.77 -> https://www.abuseipdb.com/check/104.236.133.77
2001:41d0:c:c3d:: -> https://www.abuseipdb.com/check/151.80.25.182
151.80.25.182

polonus

[polonus]

But there is more - domainnames found as connected with malcode:
https://www.virustotal.com/gui/url/629ada9a00e95b0408597f3fcfaf3c7d59355642372aee6e21bc1fa085bfa8e8/details
and IP relations (with 5 detections): https://www.virustotal.com/gui/ip-address/162.241.65.79/relations
net.net powered by vesta Coming Soon (must mean malware coming soon  ).

<title>net.net — Coming Soon</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="description" content="This is a default index page for a new domain.">
    <style type="text/css">

See: https://www.shodan.io/host/162.241.65.79  Unified Layer abuse (various vulnerabilities listed).

22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp  open  http    nginx
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: nginx
|_http-title: net.net &mdash; Coming Soon
443/tcp open  ssl
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1

IP found in this list: https://gist.github.com/techhelplist/a24726050000a0432032d3cb840feb16
meaning

188winerium.com   #phishing GBA 162.241.65.79, 2020-03-27
dahlgrenhouse.com   #phishing GBA 162.241.65.79, 2020-03-27
debramarchese.com   #phishing GBA 162.241.65.79, 2020-03-27
giovannirosania.com   #phishing GBA 162.241.65.79, 2020-03-27
h2hcareplus.com   #phishing GBA 162.241.65.79, 2020-03-27
hmefrontoffice.org   #phishing GBA 162.241.65.79, 2020-03-27
northportdentures.com   #phishing GBA 162.241.65.79, 2020-03-27
northportsmiles.com   #phishing GBA 162.241.65.79, 2020-03-27
odontobaranda.com   #phishing GBA 162.241.65.79, 2020-03-27
portcharlottebottox.com   #phishing GBA 162.241.65.79, 2020-03-27
southwestgeorgiaurology.com   #phishing GBA 162.241.65.79, 2020-03-27
swguro.com   #phishing GBA 162.241.65.79, 2020-03-27
wilkumhome.com   #phishing GBA 162.241.65.79, 2020-03-27
wilmerdental.com   #phishing GBA 162.241.65.79, 2020-03-27
wilmerfranco.com   #phishing GBA 162.241.65.79, 2020-03-27

info credits go to Jay THL.

polonus

[polonus]

Normally when we are going to this address - MediaWiki code is not shown.
Whenever we scan for DOM XSS sinks and sources we stumble at:
Results from scanning URL: https://84.96.107.210/
Number of sources found: 6
Number of sinks found: 1
See attached code as txt
At shodan.io we see: https://www.shodan.io/host/84.96.107.210  plus various vulnerabilities mentioned.

But we can via 210.107.96.84.rev.sfr.net
and then we will land at Wiki PEPS: http://84.96.107.210/mediawiki/index.php/Accueil

and then we stumble upon retirable code like

Code: [Select]

mustache.js 0.8.2 Found in
-http://84.96.107.210/mediawiki/load.php?debug=false&lang=fr&modules=ext.collapsiblevector.collapsibleNav%7Cext.embedVideo%2Cpopups%7Cext.flaggedRevs.advanced%7Cext.popups.images%7Cjquery.accessKeyLabel%2CbyteLength%2CcheckboxShiftClick%2Cclient%2Ccookie%2CgetAttrs%2Chidpi%2ChighlightText%2Cmw-jump%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CTitle%2CUri%2Capi%2Ccldr%2Cexperiments%2CjqueryMsg%2Clanguage%2Cnotify%2CsearchSuggest%2Cstorage%2Ctemplate%2Cuser%2Cutil%7Cmediawiki.api.user%7Cmediawiki.language.data%2Cinit%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.template.mustache%2Cregexp%7Cmediawiki.ui.button%2Cicon%7Cmmv.bootstrap%2Chead%7Cmmv.bootstrap.autostart%7Coojs%2Csite%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1sm2d3j<br>Vulnerability info:
Medium pull request 530 weakness in HTML escaping
Number of XSS-DOM-sources found: 98
Number of XSS-DOM-sinks found: 59

polonus

[polonus]

What sites pay Adblock to be whitelisted?
Example here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=bXVsbHt9bXsjW3wuXX1n~enc
Re on IP: https://www.shodan.io/host/209.99.64.71

Interesting survey: https://jacobsalmela.com/2015/03/16/find-out-what-sites-paid-to-be-whitelisted-from-adblock-plus/

Or the way polonus did it: https://www.shodan.io/search?query=X-Adblock-Key%3A
and an example of a result found that way: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTk5LjU5LjI0Mi4xNTBg~enc

Consider: https://sitereport.netcraft.com/?url=http://199.59.242.150
Two engines to detect: https://www.virustotal.com/gui/ip-address/199.59.242.150/detection
IP relations: https://www.virustotal.com/gui/ip-address/199.59.242.150/relations

QED,

pol

[polonus]

Check a website for reputation: https://talosintelligence.com/reputation_center/lookup?search=www.leader-price.pl
See: https://urlscan.io/result/c617e91f-000f-4e94-8081-fd470da4d52d/
And here: https://www.islegitsite.com/ Potentially legit.
Listed here: http://multirbl.valli.org/lookup/www.leader-price.pl.html

801   www.leader-price dot pl   fmb.la sa   sa.fmb.la   Not listed
7   -www.leader-price.pl   Hostkarma   -hostkarma.junkemailfilter.com   Listed
    Query:   
-www.leader-price.pl.hostkarma.junkemailfilter.com
    A Record:   
127.0.2.3
    TTL:   
43200
    DB_rc:   
Familiar domain (older than 10 days)

On AS: https://urlscan.io/asn/AS16276

Combine with the results of a scan here: https://webcookies.org

Also compare: https://badpackets.net/botnet-c2-detections/  and results here: https://ipinfo.io/AS208666
-> -https://t.co/ZusFyn1YfH abuse from IP:  https://www.abuseipdb.com/check/37.49.226.220
and https://blackip.ustc.edu.cn/sshrawlist.php?ip=37.49.226.220 (info courtesy of China Education and Research Network Center, credits go there);

Re: https://www.iptolocation.net/trace-51.68.189.111  and at blackip, we see: zookeeper, www, weblogic, webadmin, user, uploader, ubuntu, test, svn, support, student, spark, postgres, oracle, odoo, marketing, jenkins, gituser, git, ftpadmin, ec2-user, demo, debian, db2inst1, centos, ansible, admin. See: https://sitereport.netcraft.com/?url=vps-f6793ddb.vps.ovh.net
See: https://sitereport.netcraft.com/?url=vps-f6793ddb.vps.ovh.net

pol

[polonus]

Is a website safe to visit? This one, -amco.xyz, is certainly not.

Checked at trustscam's: -damco.xyz here: https://trustscam.nl/damco.xyz
Redirecting -> https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I3xtXl0ueHl6~enc
Consider second redirect: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z3ZrfHoufCN1bHR0I3x0e3MuXl1tYF5gI3w1NyNeNTU1ezUwNTcyIzxzMT0xODk2NCZzMj03MzQwNCZqNj0x~enc
And  a third one : https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LjE4cGx1c3N0fXt8bS5ue3RgXmA0Xjh8NjY5YjgzezZeMiMzPCZebFtea19bIz1bXnV9aDV7I3swezQyNSMxZjg4NzUyMTI3MTYmczE9MTg5NjQmczI9NzM0MDQmczM9Ynxea3Vze30mczU9JmxwPU1KJmoxPSZqMj0majM9Jmo0PSZqNT0majY9MQ%3D%3D~enc

Location: -https://gvkaz.adulttdates.com/c/da57dcXXXXX0572d?s1=18XXX&s2=7XXX4&j6=1
Note: This line has redirected the request to -https://gvkaz.adulttdates.com/c/da57dXXXXX50572d?s1=1XXX4&s2=7XX04&j6=1
Even server address -ip-184-168-131-241.ip.secureserver.net at GoDaddy's is re-directing via an URL Shortener:
-https://shortener.secureserver.net/error_404 -> TypeError: Cannot read property 'set' of undefined
 /error_404:163   ERROR: The request could not be satisfied CloudFront reply..

ReferenceError: ReactDOM is not defined
 /error_404:203

<html>
<head>
<noscript>
<meta http-equiv="refresh" content="0; url=/?group_id=3560&keyword=1XX64&subid=xgsxl5ede01eddaXXXXX992268&hasJs=false&jsChecked=true" />
</noscript>
<script type="text/javascript">
window.location.href = '/?group_id=3XX0&keyword=18964&subid=xgsxl5ede01eddXXXXXXXXXX268&jsChecked=true';
</script>
</head>
<body></body>
</html>

DOM-XSS source & sink

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Zero-day exploit
Read: https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-
hernandez

Unpatched IP discovery, this is an "oldy but goldy" in the realm of tor-exploits  (info credits go to Dominik Bok)

Re: http://xordern.net/ip-leakage-of-mobile-tor-browsers.html

Especially be careful using Brave browser's private window with tor. (update and fully patch tor browser always)
Disable Autoplay, all kind of external multi-media elements can be loaded through internal multimedia players.
In this way the internal user IP-address can be discovered easily, even after 1 or 2 request for the running "raw http stream" content.

Check using Quick Source View extension in the browser to find out what normally is being loaded externally.
To use tor a tad more safely in a legit fashion this is very important.

This also could happen when no WebChromeClient for inline HTML5 Video on android had is being set.

Perfect all-round security will always be and stay an illusion,
and in the aforementioned case the facebook zero-day exploit helped to nail the child-abuser.
So as often repeated the credo is: "Don't do the crime, if you can't pay the time!".

But on the other hand it could also mean danger for legit users and journalist working amidst dictatorships
and for them such a facebook zero day would just mean bad luck and could potentially endanger their lives.

"When the going gets narrow , always keep your eye on the Tor-sparrow".
So it often is a cat-and-mouse game. And in the aforementioned case the authorities did win.
 (info credits go to xordern and luntrus)

<video controls="controls" autoplay="autoplay" poster="<=php file>">
                  
<source src="<=php file>" type="video/mp4" />
                  
</video>

]

Check for eventual IP leakage with HTML5 here:  http://xordern.net/checkip
For me Fire Onion on android seems secure.

Enjoy, my good friends, enjoy,

polonus

P.S. Also be aware not to land at a blacklisted exit node, example: https://cleantalk.org/blacklists/185.220.101.143
which there is being blacklisted by three instances.

D.

[polonus]

Interactions of Programming Languages being made visible:

https://exploring-data.com/vis/programming-languages-influence-network/#JavaScript

polonus

[polonus]

Weak PHP - PHP insecurity on websites (webserver).
While testing a particular website with Nibbler, I stumbled upon these:
-http://dorinfo.ru/
-http://dorinfo.ru/fines.php
-http://dowinfo.ru/PDD/php
-http://dorinfo.ru/contacts.php
-http://dorindo.ru/register.php

But there is more as we can establish from this public scan: code lines 123 - 128 ->
https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I119W25mXS59dQ%3D%3D~enc

E.g: /news/addnews.php  -> XSS-DOM
Number of sources found: 4
Number of sinks found: 499

None: Results from scanning URL:
htXp://dorinfo.ru/bitrix/cache/js/s1/detailed/template_53dfdefb96a04a200ee821253e355c32/template_53dfdefb96a04a200ee821253e355c32_v1.js?1583321714934
Number of sources found: 0
Number of sinks found: 0

Results from scanning URL: -http://dorinfo.ru/bitrix/templates/test/js/custom.js
Number of sources found: 1
Number of sinks found: 0

And code from Results from scanning URL: -https://zeus-net.info/
Number of sources found: 7
Number of sinks found: 0
/*! nanoScrollerJS v0.7.2 (c) 2013 James Florentino; Licensed MIT */

Site being built with Citrix- JQuery etc. Scripts not vulnerable.

But Unique IDs about your web browsing habits have been insecurely sent to third parties.

2zdz5jXXXXXXXXXXvrku14zqvh9s2rkm -dorinfo.ruphpsessid  HTTP page.

On host: https://www.shodan.io/host/92.53.106.47

Site could bewhitelisted despite the lack of best security policies.

polonus

[polonus]

Website Origin Exposure Test: https://bitmitigate.com/origin-exposure-test.html

Stumbled upon this here: https://urlscan.io/result/44be362b-3303-45df-b26d-9ce187635717/
No origins exposed! Unless 45.88.202.115 is your origin

If your origin servers are exposed attackers can attack them directly and bypass any sort of protection you may have.
Many large CDN companies have bad design which allows for serious security vulnerabilities.

Where we tested for -com-find.info ( https://urlscan.io/result/eb5d63e7-3099-4a96-ac37-9d19113de972/ 0,
Bitdefender flags PHISHING -> Amazon-abuse -> https://www.virustotal.com/gui/url/ae8afb6f83c66624ec40e0565177076a8b5950d064fee17e32f5409c729abcbd/detection

Also we have met with a "412 Precondition Failed" see: https://www.shodan.io/host/54.72.9.51
Read: https://www.eukhost.com/kb/412-precondition-failed-error-solved/

polonus (volunteer 3rd party cold recon website security analyst and website eror-hunter)

[polonus]

Did you read this? https://www.reuters.com/article/us-alphabet-google-chrome-exclusive/exclusive-massive-spying-on-users-of-googles-chrome-shows-new-security-weakness-idUSKBN23P0JO
on chrome extension security? Already gone from the Webshop: https://awakesecurity.com/wp-content/uploads/2020/06/GalComm-Malicious-Chrome-Extensions-Appendix-B.txt

How to check before you install or already installed extensions?

Use CRXcavator (yep, rhymes with excavator): https://crxcavator.io/

Enjoy, my good friends, enjoy,

polonus

[polonus]

In website scanning you loose some online scanners and you gain some.

We lost scanners like urlquery dot net, old scan results can sometimes still be found in online archives.
We also lost clean mx as a publicly accessible resource, because of abuse and attacks by cybercriminals.

Sometimes you stumble onto promising new ones, like  https://webbkoll.dataskydd.net/en/results?url=

Use such online website scan resources  in combination with others like:
https://domainwat.ch/site/ & https://censys.io/ & https://www.nlnetlabs.nl/
& https://htbridge.com & https://luxsci.com/smtp-tls-checker
together with a whole row of others.

Enjoy, my good friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

What to look for in a URL to catch a PHISH before it catches you!

Nice read-up on that subject: https://towardsdatascience.com/phishing-domain-detection-with-ml-5be9c99293e5
Info credits go to: Ebubekir Büber.

A PHISHING site is not to say all of the site is PHISHING. It could be one page, on a sub-domain or via a hacked website.

Look here: https://www.phishtank.com/phish_detail.php?phish_id=6651347 
or here: https://checkphish.ai/
and combine with a scan here: https://www.zonemaster.net/domain_check   

Also look for top level domain switches where an ending in com is the real McCoy and ending in dot org means a PHISH.
Look for obfuscated code and minnified JavaScript (or PHISHING on an account that has been suspended).

Also check here: http://ssl-checker.online-domain-tools.com/

polonus

[polonus]

Find the dork before the dork may find you.

Weak php and weak cgi exist, and it can be abused by attackers.

See a list like this one: https://gist.github.com/m0k1/ada77aacefe3dcae7bc2
or this one: https://itechhacks.com/latest-fresh-carding-dorks-2016/

Dorks can reveal where such weaknesses exist via a query in a specific searchengine, like for instance shodan.io.

It is the task of security a dork does not lead to an attack: https://cxsecurity.com/dorks/12

polonus

[polonus]

Checking on certificates, example: https://crt.sh/?q=avast.com

And in particular one of those: https://crt.sh/?id=49504394

polonus