Tests and other Media topics

[polonus]

Also interesting to check on (spam) mail-harvesters, random example starting here: https://www.projecthoneypot.org/ip_46.4.55.55

Then checked on associated IP, 136.144.41.200 -

https://www.abuseipdb.com/check/136.144.41.200

https://www.psbl.org/listing?ip=136.144.41.200

https://multirbl.valli.org/detail/score.spfbl.net.html

https://maltiverse.com/ip/136.144.41.200   

https://www.shodan.io/host/136.144.41.200

For users with a special interest in the subject of spam:
https://forum.spamcop.net/topic/47073-serverion-spam-factory-review/

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Torry.io , the Tor Anymous View search engine,
random query example: https://tor.torry.io/index.php?q=

Any downcasts in mapping the Tor-driven landscape? Can also be used as an extension inside Google chrome browser,
and similar browser types. Whenever the searchg-engine is too good to be true anonymous searching, then it likely is.
Anyone? I see a link to -hs.qacono.com,

polonus

[polonus]

Could this be an alternative to the once WOT service?

Random example: https://www.scamdoc.com/view/877444

pol

[polonus]

Even Sucuri's website scan page does not have best policy CSP.

Issues:

CSP Validity         Valid
XSS                     No CSP Protection
Clickjacking          No CSP Protection
Formjacking         No CSP Protection

General
Basic CSP Protection
Summary
11 Fatal Errors
12 Warnings
5 Info
1 Valid
Content Security Policy (CSP)
Edit CSP
upgrade-insecure-requests;
Report Only CSP
Enforced CSP
General
CSP
report-uri
Add 'report-uri' directive to receive violation reports. Setup a free report-uri at RapidSec
CSP
form-action
In order to add Formjacking protection, either 'form-action' or 'base-uri' should be strictly defined.
This directive does not fallback to 'default-src'. Can you restrict 'form-action' to 'none' or 'self'?
Necessary Directives
CSP
default-src
'default-src' is missing. Add it for more fine-grained control and reporting.
CSP
base-uri
In order to add Formjacking protection, either 'form-action' or 'base-uri' should be strictly defined.
Missing 'base-uri' allows the injection of base tags that set the base URL for all relative URLs. Used in XSS as CSP bypasses on the 'script-src' directive, and in Formjacking attacks - routing forms to an attacker controlled domain. Can you set it to 'none' or 'self'?
CSP
frame-ancestors
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
'frame-ancestors' directive, is more powerful and flexible than the X-Frame-Options, and considered necessary in order to properly prevent Clickjacking attacks. Can you restrict 'frame-ancestors' to 'none' or 'self'?
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
CSP
upgrade-insecure-requests
Scripting Directives
CSP
script-src
In order to add XSS protection, 'script-src' should be strictly defined.
'script-src' is missing and recommended to increase XSS protection. Can you set 'none' or a specific file/path?
CSP
style-src
'style-src' is missing and recommended to increase general protection. Can you set 'none' or a specific file/path?
CSP
object-src
Missing 'object-src' allows the injection of plugins which can execute JavaScript. Can you set it to 'none' or 'self'?
CSP
worker-src
'worker-src' is missing and recommended to increase overall strength. It specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. Can you set 'none' or a specific file/path?
Frames Directives
CSP
child-src
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both 'child-src' and 'frame-src' should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
CSP
frame-src
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both 'child-src' and 'frame-src' should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
Content Directives
CSP
img-src
In order to add general protection, either 'img-src' or 'connect-src' should be strictly defined.
'img-src' is missing. Add it for more fine-grained control and reporting.
CSP
connect-src
In order to add general protection, either 'img-src' or 'connect-src' should be strictly defined.
'connect-src' is missing. Add it for more fine-grained control and reporting.
CSP
font-src
'font-src' is missing. Add it for more fine-grained control and reporting.
CSP
manifest-src
'manifest-src' is missing. Add it for more fine-grained control and reporting.
CSP
media-src
'media-src' is missing. Add it for more fine-grained control and reporting.
CSP
prefetch-src
'prefetch-src' is missing. Add it for more fine-grained control and reporting.

source CSP Scanner chrome extension info...

polonus

[polonus]

Tested forum.avast.com at The Markup,
and no tracking found, but user data are being sent to Google Analytics.
Adblockers will block this.

See: https://themarkup.org/blacklight?url=forum.avast.com

Site is non-indexable, links on the page are followed.
No unsafe content being detected, no iframe redirections, no encoded JS,
no external domain requests, no trackers.

polonus

[polonus]

Sometimes one has to combine resources, like here on this Crimson RAT Malware:
https://urlhaus.abuse.ch/url/2228451/  and  https://any.run/malware-trends/crimson
and https://www.shodan.io/host/64.188.25.143
This while only 3 vendors detect this here: https://www.virustotal.com/gui/url/022eb1cfa39cf0b2f63fef31c878545716b766c2cd37d59d61e8cc93d876259e
Blacklisted by McAfee: https://sitecheck.sucuri.net/results/64.188.25.143/day.txt
All this abuse despite of a very strict abuse policy from -static.quadranet dot com.
not yet reported here, bu similar to spam and scam reported for this IP:
https://www.abuseipdb.com/check/64.188.2.110 @ quadranet dot com.


polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Tracking information -
Re: https://confection.io/trackers/eu-eb2-3lift-com/
Re: https://www.joesandbox.com/analysis/257195/0/html

polonus

[polonus]

And again we have lost some fine initiative for checking on Bad IPs at -https://ip-46.com/feeds
as that service was discontinued quite recently, a site where I personally reported many a bad IP feed.

We still have this (random example): https://www.abuseipdb.com/check/82.174.251.216
and various other resources, but we have lost quite some valuable evaluation resources over time,
also because these resources came under continuous attack from malcreants-cybercriminals
or they did not get the support to pay for the "wires" and server-service. A pity really.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Here we will take scan results from three different scan sources.

On the malcode detection of Remcos RAT: https://urlhaus.abuse.ch/url/2243687/

Then the according VT report: https://www.virustotal.com/gui/url/6f4bf2ffc13b812ff7cc353c8e6d310c038e9ea2fc38ce026d9807e3363df782
with three av-vendors flag this malcode.

This website loads trackers on your computer that are designed to evade third-party cookie blockers.
Canvas fingerprinting was detected on this website. This technique is designed to identify users even if they block third-party cookies. It can be used to track users' behavior across sites. This technique was used by six percent of popular sites when we scanned them in September 2020.

Blacklight detected a script loaded from filebin.net doing this on this site.

It secretly draws the following image on your browser when you visit this website for the purpose of identifying your device.

However...https://themarkup.org/blacklight?url=filebin.net ->
While Blacklight accurately detects the presence of canvas fingerprinting on a website, it cannot determine if the purpose is user behavior monitoring or for fraud prevention or bot detection.

pol

[polonus]

Another pair to combine: https://www.projecthoneypot.org/list_of_ips.php

Re: https://www.abuseipdb.com/check/46.101.210.101
and
https://maltiverse.com/ip/46.101.210.81

Given with associated harvesters: https://www.projecthoneypot.org/ip_46.101.210.101

proxy also listed here: https://www.freeproxy.world/?type=socks4

polonus

[polonus]

Blacklisted and 8 vendors flag:
https://urlhaus.abuse.ch/url/2244605/
See: https://whatismyip.live/blacklist-check
Blacklist Status for your IP: 42.239.97.158
Blacklist   Description   Status
dnsbl.spfbl.net   DNSBL SPFBL List   Listed
red.uribl.com   URIBL red   Listed
grey.uribl.com   URIBL grey   Listed
black.uribl.com   URIBL black   Listed
multi.uribl.com   URIBL multi   Listed
-> https://www.virustotal.com/gui/url/ecf4af28e2e9081ecbf2699669cdcd4c99230ac83576d52f096a81ccf918dc6a/community

Abuse on China's backbone (general information)  https://www.shodan.io/host/42.239.97.158

Top Hacker: https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/39664/top-hacker-hn-kd-ny-adsl

and how he plays a roll in China's attempts to block tor (scanning for tor bridges) and other abuse:
https://dontai.com/wp/2016/06/08/hn-kd-ny-adsl-research-ban/

Completely missed here: https://blacklistchecker.com/check?input=42.239.97.158
Flagged here: https://www.blacklistmaster.com/check?t=42.239.97.158  (given on 3 lists).

polonus

[polonus]

See how Google Chrome makes user tracking through installed extensions possible.

This can be achieved via web-accessible-resources.
Secret tokens of extensions cannot hide from a specific timing method to their existence being revealed,
the more extensions installed the more precise and unique your user borwser fingerprint will be.

https://developer.chrome.com/docs/extensions/mv3/manifest/web_accessible_resources/

Firefox browser is not vulnerable to this sort of user tracking.

Scan here: https://z0ccc.github.io/extension-fingerprints/

Test here: https://coveryourtracks.eff.org/kcarter?aat=1   (for other browser-tracking methods)
Most characteristics are derived via JavaScript, a decent script blocker of sorts is a must nowadays,
as most monoculture browsers come as user tracking tools par excellence.

polonus

[polonus]

Verification of IP: https://greensnow.co/statistics
and https://greensnow.co/view/46.161.27.204#listeAttaques

see also: https://www.abuseipdb.com/check/46.161.27.204

polonus

[polonus]

Other fine resources to check suspicious IP against:
https://cleantalk.org/blacklists/23.133.8.3  (random tor-address example given)

polonus

[polonus]

Observed activity, but only one vendor to flag ....
Re: https://viz.greynoise.io/ip/223.205.232.52
On IP address: https://db-ip.com/223.205.232.52
1 security vendor flags it: https://www.virustotal.com/gui/ip-address/223.205.232.52/detection
Nothing here while there is vulnerable & abusable smbv1 there:
https://cleantalk.org/blacklists/223.205.232.52

pol