Author Topic: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell (Read 1880 times)

polonus · « **on:** August 04, 2015, 03:57:56 PM »

Flagged: https://www.virustotal.com/nl/url/aa699cd757418ca99a37e81d8a97c79da4b33060cc14612f38c6983680bbeb03/analysis/1438695275/
/2015/07/how-to-choose-best-wordpress-hosting.html
Severity:   Potentially Suspicious
Reason:   Detected potentially suspicious content.
Details:   Detected hidden call to unescape.
File size[byte]:   62955
File type:   HTML
Page/File MD5:   104A0C4E8EDD29D6E11F9303057E7E71
Scan duration[sec]:   0.574000
Missed completely here: https://sitecheck.sucuri.net/results/besthostingtop.blogspot.com#sitecheck-details
and here: http://killmalware.com/besthostingtop.blogspot.com/

Questionable external link to -vassg141.ocsp.omniroot.com -> https://forum.avast.com/index.php?topic=170731.0

Certicate checking from clients1.google.com/ocsp? Issues discussed here: https://trac.torproject.org/projects/tor/ticket/9713

See: http://whois.domaintools.com/blogspot.com
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbesthostingtop.blogspot.com

And the flagged URI: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbesthostingtop.blogspot.com%2F2015%2F07%2Fhow-to-choose-best-wordpress-hosting.html

For the suspicious code see attached

polonus (volunteer website security analyst and website error-hunter)

!Donovan · « **Reply #1 on:** August 04, 2015, 04:05:50 PM »

Hi Polonus,

It is a nuisance to see so many websites using jQuery, especially since JavaScript 5.1 (ECMA-262) handles many (if not all) common selectors and event handlers that jQuery uses. It's been around long enough to have full support in all modern browsers (even IE9, sans strict mode), and the extra blob of code formed by jQuery could be removed and replaced with native JavaScript methods and properties that are not only faster, but may also be more secure in some cases.

Donovan

polonus · « **Reply #2 on:** August 04, 2015, 04:36:16 PM »

Hi !Donovan,

You are completely right in your critique. Also often existing JQuery code is not updated nor patched or worse even code is being used that is left (by developers). Complicating factor is that the one JQuery version may be vulnerable or exploitable to some particular threat, while a later or earlier version may not be.

That said the malcode rendered this website more or less useless as we can establich from the tracker tracker report I have attached.

polonus

Pondus · « **Reply #3 on:** August 04, 2015, 05:03:21 PM »

besthostingtop.blogspot.com - code_sample scan
https://www.virustotal.com/en/file/45da9c8cf3fd4b1d8a874ae0dac7a8a3eac528b11f308e03122a9241697a645f/analysis/1438700436/

Norman/BlueCoat Autoadded signature as Decode.A

polonus · « **Reply #4 on:** August 04, 2015, 05:10:28 PM »

Hi Pondus,

Thanks for that one, quite revealing. But a pity we do not have Avast detecting this.
I will be reporting,

polonus

Author Topic: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell (Read 1880 times)

polonus

Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell

!Donovan

Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell

polonus

Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell

Pondus

Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell

polonus

Re: Bad domain: Unknown TLD for 'besthostingtop.blogspot.com' unknown_html_RFI_shell