Author Topic: Website was hacked via bootstrap - now still with vulnerability...  (Read 4072 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
See: http://killmalware.com/platformpro.ru/#  &  http://toolbar.netcraft.com/site_report?url=http://platformpro.ru
Re: -http://platformpro.ru/
Detected libraries:
jquery - 1.11.1 : (active1) -http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Website was hacked via bootstrap - now still with vulnerability...
« Reply #1 on: January 18, 2019, 12:36:14 AM »
Another blacklisted website with a bootstrap,js issue, related with appeum dot net -> https://retire.insecurity.today/#!/scan/decdd5ecc63f46f8bf2388f66bbef4420a36bd9c0d2bee1e2db7b434821dbd95
-> https://urlquery.net/report/19656166-9456-463a-9624-da090475cdc5
blacklisted for js/bootstrap.min.js
See: https://github.com/twbs/bootstrap/issues/20184
-> Results from scanning URL: -http://appeum.com/js/bootstrap.min.js
Number of sources found: 43 ; number of sinks found: 19
The data-target attribute is vulnerable to Cross-Site Scripting attacks.
Existing vulnerabilities in bootstrap according to SNYK: https://snyk.io/vuln/npm:bootstrap
Compare http://jsbin.com/qalekeroke/edit?html,output
see tokenization proposed here: https://bugs.jquery.com/ticket/11290
8 security recommendations: https://webhint.io/scanner/b4146fdc-f6a7-4adb-8e85-a36020220412#Security

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: January 18, 2019, 02:12:41 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Website was hacked via bootstrap - now still with vulnerability...
« Reply #2 on: January 20, 2019, 10:49:47 PM »
Another instance where bootstrap seems involved. Flagged because of suspicious *.tk domain:
https://urlquery.net/report/45a7829c-fc2a-400a-8a55-6455027a552f

Detections based on IP: https://checkphish.ai/ip/195.20.46.36 (128 instances in last 30 days).

Where found listed: https://cymon.io/195.20.46.244

And on the redirection code on page: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3tiXmh1fG4udGs%3D~enc
Checked: -hxtp://domain.dot.tk/p/?d=WEBCHUAN.TK&i=198.71.230.24&c=1&ro=0&ref=https%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D3%26cad%3Drja%26uact%3D8%26ved%3DNychHGgvN%26url%3Dhttp%253A%252F%252Fwebchuan.tk%26ei%3DdTTUJXxApikvQ1PN3b8%26usg%3D167hRXVc4AeNyFCod33&_=1548020116641

Results from scanning URL: -hxtp://domain.dot.tk/js/searchr.js
Number of sources found: 42 ; number of sinks found: 2

Given as not vulnerable: https://retire.insecurity.today/#!/scan/98c32d5dbab9d187a9a6d031835ac1f370fc42c83ca397597bf1c99ec50bb9b2

Notwithstanding these 4 vulnerabilities -> : https://snyk.io/test/npm/bootstrap/3.3.7 (outdated version to be updated to 3.4.0)
While this is inside the code
Quote
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="htxps://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Website was hacked via bootstrap - now still with vulnerability...
« Reply #3 on: January 21, 2019, 06:44:03 PM »
More bootstrap misery, here detected on this Joomla website, because of a Joomla malware installation alert, site is being blacklisted:
https://sitecheck.sucuri.net/results/turkeytoday.org

See also: https://urlquery.net/report/99b46003-13a0-4792-be4d-dcc005062d6e

Loaded: Loaded Resources
Compromised sites will often be linked to malicious javascript or iframes in an attempt to attack users of your WordPress installation. Look over the listed resources, you should be familiar with all scripts and investigate ones you are not sure. In addition removal of unneeded javascript will speed up your website.

-http://turkeytoday.org/installation/index.php
OK
    Load:
574ms   Server: 188.68.51.155
nginx   ASN: 197540 Germany
netcup GmbH   Reverse DNS:
-intracenter.de

-hxtp://turkeytoday.org/A.media,,_jui,,_css,,_chosen.css,,qea92daf5b32f43ae64261db2de9541a4+media,,_jui,,_css,,_bootstrap.min.css,,qea92daf5b32f43ae64261db2de9541a4+media,,_jui,,_css,,_bootstrap-responsive.min.css,,qea92daf5b32f43ae64261db2de9541a4+media,,_jui,,_css,,_bootstrap-extended.css,,qea92daf5b32f43ae64261db2de9541a4+installation,,_template,,_css,,_template.css,,qea92daf5b32f43ae64261db2de9541a4,Mcc.Iwu_HzWkyq.css.pagespeed.cf.AWbXxOxDys.css
OK
    Load:
187ms   Server: 188.68.51.155
nginx   ASN: 197540 Germany
netcup GmbH   Reverse DNS:
-intracenter.de
-http://turkeytoday.org/media/jui/js/jquery.min.js,qea92daf5b32f43ae64261db2de9541a4.pagespeed.jm.29OAZzvhfX.js
OK
    Load:
275ms   Server: 188.68.51.155
nginx   ASN: 197540 Germany
netcup GmbH   Reverse DNS:
-intracenter.de
-http://turkeytoday.org/media/jui,_js,_jquery-noconflict.js,qea92daf5b32f43ae64261db2de9541a4+jui,_js,_jquery-migrate.min.js,qea92daf5b32f43ae64261db2de9541a4+system,_js,_html5fallback.js,qea92daf5b32f43ae64261db2de9541a4+jui,_js,_bootstrap.min.js,qea92daf5b32f43ae64261db2de9541a4+jui,_js,_chosen.jquery.min.js,qea92daf5b32f43ae64261db2de9541a4+system,_js,_core.js,qea92daf5b32f43ae64261db2de9541a4.pagespeed.jc.1znDzhNYqW.js
OK
    Load:
290ms   Server: 188.68.51.155
nginx   ASN: 197540 Germany
netcup GmbH   Reverse DNS:
-intracenter.de
-hxtp://turkeytoday.org/media,_system,_js,_keepalive.js,qea92daf5b32f43ae64261db2de9541a4+media,_system,_js,_punycode.js,qea92daf5b32f43ae64261db2de9541a4+media,_system,_js,_validate.js,qea92daf5b32f43ae64261db2de9541a4+installation,_template,_js,_installation.js,qea92daf5b32f43ae64261db2de9541a4.pagespeed.jc.A7z2gdhyGB.js
OK
    Load:
197ms   Server: 188.68.51.155
nginx   ASN: 197540 Germany
netcup GmbH   Reverse DNS:
-intracenter.de  No Google Safebrowsing alert.

1 retirable jQuery library: https://retire.insecurity.today/#!/scan/b2730c739adb8993201689359cdf96726cabc4186695df06b2bfc6221a3494d7

Results from scanning URL: -http://turkeytoday.org/media/jui/js/bootstrap.min.js?641709a47bd83234771fa78cf61a0250
gives a
Quote
jQuery.noConflict();
but sources and sinks here for the same URL: hxtp://turkeytoday.org/media/jui/js/bootstrap.min.js?641709a47bd83234771fa78cf61a0250
Number of sources found: 5 ; number of sinks found: 10  and also various in core.js and installation.js
in the Joomla installation package - malware entry warning: https://labs.sucuri.net/db/malware/warning?joomla_install_page.1

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Website was hacked via bootstrap - now still with vulnerability...
« Reply #4 on: January 23, 2019, 02:18:40 AM »
Checking for retirable jQuery code libraries is ongoing.
One has also to look out not to miss anything.

Another retirable detected on that same website (found via DrWeb's URL-scanner - credits where credits due :)): https://retire.insecurity.today/#!/scan/7187586fc2d44df7e5693019bd9efadbcd8530630d21e8eec7986cfba644e704
Re: -http://turkeytoday.org/media/jui/js/jquery.min.js/JSTag_1[c8fd][b28e]
Number of sources found: 41 ; Number of sinks found: 17

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!