Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Website with various SE redirects and vulnerable code....
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: Website with various SE redirects and vulnerable code.... (Read 2440 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 33913
malware fighter
Website with various SE redirects and vulnerable code....
«
on:
January 09, 2016, 01:50:47 PM »
Bitdefender TrafficLight flags the website as malware site: htxp://tweeps.us
Quttera detects one suspicious file -> index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level.
Details: Detected HTTP redirection to -http://clcktrck.net/path/lp.php?trvid=10003%26trvx=3721aa50%26search=detox%20cleanse%20reviews%26smid=DfzfI371aWL71X8fx7N9t5J34kg09eG%26dom=-tweeps.us.
File size[byte]: 0
File type: Unknown
Page/File MD5: 00000000000000000000000000000000
Scan duration[sec]: 0.001000
Detected libraries to be retired:
jquery - 1.7.2 : (active1) -http://tweeps.us
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
backbone.js - 0.9.2 : (active1) -http://tweeps.us
handlebars.js - 1.0.beta.6 : (active1) -http://tweeps.us
Info: Severity: medium
https://github.com/wycats/handlebars.js/pull/68
Info: Severity: medium
https://github.com/wycats/handlebars.js/pull/1083
(active) - the library was also found to be active by running code
2 vulnerable libraries detected
Three XSS attacks exploitable:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Ftweeps.us%2Fcdn-cgi%2Fse%2Fjavascripts%2Fmodernizr.js
Chain of redirects found:
http://killmalware.com/tweeps.us/#
I now get: "The page you are looking for cannot be found". "SmartErrors powered by CloudFlarePrivacy policy".
Unique IDs about your web browsing habits have been insecurely sent to third parties.
ajax.cloudflare.com __cfduid
tweeps.us __cfduid
d5fb79cb4xxxxxxxxxxxxxxxxxx1445965753 local.adguard.com
See Cloudflare abuse for IP:
https://www.virustotal.com/en/ip-address/104.24.103.115/information/
Consider also:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fapi.swiftype.com%2Fapi%2Fv1%2Fpublic%2Fengines%2Fsearch%3Fcallback%3DjQuery17207577266006264836_1452341845795%26q%3D%26engine_key%3DzpEY3X5Wncvrsw2Ab6e2%26_%3D1452341845832
ssl-google-analytics.com code but link to -9b.5b.c0ad.ip4.static.sl-reverse.com was blocked by MBAM as malicious.
See reverse DNS:
http://toolbar.netcraft.com/site_report?url=http://api.swiftype.com
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 33913
malware fighter
Re: Website with various SE redirects and vulnerable code....
«
Reply #1 on:
February 18, 2016, 11:22:05 AM »
Update - abuse from now parked website.
Given as clean:
http://killmalware.com/tweeps.us/#
&
http://quttera.com/detailed_report/tweeps.us
Checking for cloaking
There is a difference of 6868 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page. provider nor the domain owner maintain any relationship with the advertisers, on the other side consone it.
Scripts
Found 3 unsafe scripts out of 0 script tags
Stylesheets
Found 2 unsafe stylesheets out of 0 stylesheet tags ->
https://sritest.io/#report/a7f4e468-90c0-43af-abba-af76bb64c168
Blocked by ad- and script blockers come: Script loaded: -http://d32ffatx74qnju.cloudfront.net/scripts/js3caf.js
Script loaded: -http://www.google.com/adsense/domains/caf.js
Script loaded: -http://www.parkingcrew.net/scripts/sale_form.js
Script loaded: -http://www.google-analytics.com/ga.js
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 33913
malware fighter
Re: Website with various SE redirects and vulnerable code....
«
Reply #2 on:
August 31, 2016, 06:55:20 PM »
That campaign seems still alive, recent update:
http://killmalware.com/dearwisead.space/
Re:
https://www.virustotal.com/en-gb/url/41fae95cfdc6f8112eb4d58661ead0ed31bf03cb6c54572359d653d34bf61204/analysis/1438120034/
See:
https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.dearwisead.space&ref_sel=GSP2&ua_sel=ff&fs=1
Typical case of CloudFlare abuse:
http://toolbar.netcraft.com/site_report?url=http://104.31.74.46
address:
https://www.threatminer.org/host.php?q=104.31.74.46
5 issues:
http://mxtoolbox.com/domain/www.dearwisead.space/
polonus (volunteer website security analyst and website error-hunter)
P.S. Also checked this redirect:
https://www.mywot.com/en/scorecard/laboratoriobaldan.com?utm_source=addon&utm_content=rw-viewsc
«
Last Edit: August 31, 2016, 06:58:41 PM by polonus
»
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Website with various SE redirects and vulnerable code....