Tests and other Media topics

[polonus]

Be aware of maliicous IP -> https://www.criminalip.io/en/asset
Either critical or dangerous IP.

Also compare results (random IP example):
https://www.projecthoneypot.org/ip_191.102.153.111

then https://maltiverse.com/ip/191.102.153.111

https://www.virustotal.com/gui/url/81b11697fd251b1b1b4d9ef4583de0f4dd1a08d63386866b930e2d136d260987/details

and here: https://www.malwareworld.com/

Malicious: true for 35.146.254.16
Type: BadReputation
Location: Lat(37.87085623213167) - Long(-97.78518256324038)
References:
    https://www.maxmind.com/en/high-risk-ip-sample-list
    https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt

polonus

[polonus]

Website access scanner: (random example)

https://accessify.com/t/torry.io
&
https://www.accessify.com/d/search.disconnect.me

polonus

[polonus]

Evaluating: https://urlscan.io/result/cbeb3a97-46f1-40e1-ac29-1282dee7f249/#indicators
the one of contacts scanned with truspilot:
https://www.trustpilot.com/review/tradepub.com

Found to be safe: https://check.trendmicro.com/page/QuickStart?s=agrdy.com

Avast Online extension detect tracking:
Ad-tracking 1 detected
Webanalysis 1 detected

Also see: https://www.shodan.io/domain/www.tradepub.com

polonus

[polonus]

Not malicious as such, but Word Press website with 5 vulnerabilities:

https://urlscan.io/result/a35090de-1468-4b6c-abff-e0bc60b85568/

Word Press CMS outdated, outdated plug-ins:
   contact-form-7 5.7.4   Warning   latest release (5.7.5.1)
https://contactform7.com/  &  ordpress-seo 20.2   Warning   latest release (20.5)
https://yoa.st/1uj

User Enumeration is not set to disabled.

Not flagged here: https://www.virustotal.com/gui/url/07d830d285a2eefc2c79496894e312b559aa8076ead43f87bf2e83c2d60b8f10?nocache=1

polonus

[polonus]

Analysis of a website could hint at possible vulnerabilities,
see following scenario, that got me aware of a potential XSS flaw.

I checked and scanned this particular site at https://urlscan.io/ here:
https://urlscan.io/result/7d2197aa-190e-4d94-b841-fa87807f5516/
and then stumbled at the following cookie via: https://urlscan.io/result/7d2197aa-190e-4d94-b841-fa87807f5516/#behaviour

This website could be open to an XSS attack, read
: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1729
because of the       -savelife.in.ua/   1970-01-20
11:57:49   Name: AWSALBCORS cookie  (and what change should be applied to prevent this)

polonus (3rd party cold recon website security analyst and website error-hunter)

[polonus]

Fraudulous IP check - below zero is better.

Example: https://www.ip-lookup.org/score/151.101.193.69

A fraud score of 15, certainly too much (check through Netcraft extension and Shodan as well)
https://scamalytics.com/ip/65.55.252.93

Not only for checking IP: https://www.abuseipdb.com/check?query=https%3A%2F%2Fwww.timeloopsolution.com%2F

Another checker: https://www.abuseipdb.com/check?query=https%3A%2F%2Fwww.timeloopsolution.com%2F

Re: https://www.ipvoid.com/ip-blacklist-check/

And detecting those that wanna stay under the detection radar:
Read: https://medium.com/@xianghangmi/resident-evil-understanding-residential-ip-proxy-as-a-dark-service-dea9010a0e29

Use:https://intelx.io/

polonus

[polonus]

Here we have a potntially malicious or suspicious IP address:
https://www.virustotal.com/gui/ip-address/46.173.84.81

See: https://www.abuseipdb.com/check/46.173.84.81

from: https://sitereport.netcraft.com/?url=http://46.173.84.81

1 to detect.

pol

[polonus]

Establishing vulnerabiliteis on a particular website with asserted IP abuse.

Compare various scan results:

https://www.abuseipdb.com/check/46.149.182.124  (random example)
Re: https://www.shodan.io/host/46.149.176.5  (with all vuln. given there )  on that Apache HTTP-server *

No threat in data exchanges - 3 trackers blocked - No restrictions found.

Missing intermediate TLS certificate   running on  Apache 2.4.41, Ubuntu *

CMS: WordPress 6.2.1

Powered by: Unknown  - 4 Word Press issues -

1. outdated CMS,

2.   Plugin   Update Status   About
woocommerce 7.3.0   Warning   latest release (7.7.0)
hxtps://woocommerce.com/

3. 4. User enumeration and directory listing not set at disabled.

Further website config issues

Protection
No website application firewall detected.
Please install a cloud-based WAF to prevent website hacks and DDoS attacks.

Security Headers
Missing security header for ClickJacking Protection. Alternatively,
you can use Content-Security-Policy: frame-ancestors 'none'.

Missing security header to prevent Content Type sniffing.

Missing Strict-Transport-Security security header.

Missing Content-Security-Policy directive. We recommend to add the following CSP directives
(you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src

Default server banners displayed. Your site is displaying your web server default banners.

quote-info from a sucuri website scan result.

Sytange as here IP is given as above board: https://www.ip-lookup.org/score/46.149.176.5

Another source to check with - 4 detect: https://www.criminalip.io/en/asset/report/209.97.181.37

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Under attack - https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/

IP flagged here: https://www.abuseipdb.com/check/45.146.165.91

Various rsources will give insights in the actual threat theatre.

polonus

[polonus]

Test your browser here for CSS Exfil Vulnerabilities:
https://www.mike-gualtieri.com/css-exfil-vulnerability-tester

Protect your browser with an extension:
https://chrome.google.com/webstore/detail/css-exfil-protection/ibeemfhcbbikonfajhamlkdgedmekifo

When on firefox: https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/

With the upcoming CSS scanning of everybody online,
certainly worth protecting yourself as best you can,

polonus

[polonus]

Ad tracking link being blocked on:
htxps://thebakermama.com/wp-content/
-> following JS link: hxtps://static.cloudflareinsights.com/beacon.min.js/v52afc6f149f6479b8c77fa569edb01181681764108816

Also: https://urlscan.io/result/5b385e2c-bd39-48dd-92be-0bd87f9c8280/

Privacy badger blocks 4 trackers. Site = Yoast SEO plug-in optimalized.

We are strongly advide by Dr.Web's against visiting:
-aax.amazon-adsystem.com listed at:
https://urlscan.io/result/5b385e2c-bd39-48dd-92be-0bd87f9c8280/#indicators

polonus

[polonus]

Checking on payload delivery example where we found it-> https://urlhaus.abuse.ch/url/2671474/
Re: https://www.virustotal.com/gui/file/4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7/detection/f-4293c1d

Re: https://www.abuseipdb.com/check/117.219.113.72

and https://www.shodan.io/search?query=bsnl.in

Then we could meet here with these MikroTik-router-OS-vulnerabilities:
https://cyber.vumetric.com/vulns/mikrotik/routeros/6-39-2/

e.c. a crashdump of one mentioned: https://github.com/cq674350529/pocs_slides/blob/master/advisory/MikroTik/CVE-2022-45315/README.md

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

[polonus]

You would not expect to find following vulnerabilities on such a website like eff dot org, as mentioned here:

Retire.js
jquery-ui   1.10.2   Found in -https://www.eff.org/files/js/js_x2A4oj9_rCj5CWR_dGMHrobZW14ZVI9ruZKCDG7yyfM.js _____Vulnerability info:
Low   XSS when refreshing checkboxes if usercontrolled data in labels 2101 CVE-2022-31160   
Medium   CVE-2021-41184 XSS in the `of` option of the `.position()` util   12
Medium   CVE-2021-41183 15284 XSS Vulnerability on text options of jQuery UI datepicker   
Medium   CVE-2021-41182 XSS in the `altField` option of the Datepicker widget   12
Medium   CVE-2022-31160 XSS when refreshing a checkboxradio with an HTML-like initial text label   
jquery.datatables   1.10.18   Found in -https://www.eff.org/files/js/js_Q6bf8MyLqauBH0V6N-qDG8KuvtMOI0HbAR9o9acrMQc.js _____Vulnerability info:
Low   possible XSS 2   
High   prototype pollution 3   
Medium   prototype pollution 4   1
jquery   1.12.4   Found in -https://www.eff.org/files/js/js_qd8BaywA4mj4edyGLb52Px4-BwFqScI7dgPymNmaueA.js _____Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   

Re also: https://www.shodan.io/search?query=eff.org

Page-, header- and cookie-security: found no best policies implemented for cache-control, csp, search-block-form headers.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunbter)

[polonus]

Another IP detection here: https://urlscan.io/result/389db7e9-b90a-4bce-acb9-dc6ed2d421af/#indicators

Final url VT (not reflecting it is a parked site (see js file): https://www.virustotal.com/gui/url/ed66488c77223438dbd68d0b4f6ce123e1d75352cadbb7e70997535ba896cebb/details  -> -http://ww1.soureladim.com/js/parking.2.105.7.js

IP blacklisted: https://www.abuseipdb.com/check/199.59.243.223

polonus

[polonus]

Flagged: https://www.abuseipdb.com/check/178.128.165.94  *
Flagged as attack source: https://db-ip.com/178.128.165.94

High Risk: Attack target(s)   Mail, SSH (and other abuse mentioned here *)

polonus