Malicious js code not flagged by AOS - gives site an all green?

[polonus]

Re: http://killmalware.com/plusfits.com/# http://plusfits.com
Warning: Malicious Code Detected on This Website!
Detected libraries:
jquery-migrate - 1.2.1 : http://plusfits.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.1 : (active1) http://plusfits.com/wp-includes/js/jquery/jquery.js?ver=1.11.1
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

Re: https://sitecheck.sucuri.net/results/plusfits.com

WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.6
WordPress Version
4.1.12
Version does not appear to be latest 4.6 - update now.
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   admin   admin
2      None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

F-Status: https://observatory.mozilla.org/analyze.html?host=plusfits.com

polonus (volunteer website security analyst and website error-hunter)

[DavidR]

I don't believe that the AOS is even looking for this type of thing.

That would be the web shield as far as I'm aware. What was the old Script Scanning was incorporated into the web shield.

[Pondus]

Not malicious

https://www.virustotal.com/en/file/ee7ac54fbfc49cd80cebc0c996abfcd7f28c769ef579b8e822fce0f61f925bba/analysis/1472681033/

https://www.virustotal.com/en/file/c4cfd10ad7f5393226dfb09494b42bb6dcb6af33e8fb38254fcc7f18b2b4daaa/analysis/1472681072/

[polonus]

Hi dear Pondus,

But we should check this on the page: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fresources.infolinks.com%2Fjs%2Finfolinks_main.js

Websense ThreatSeeker alerts Malicious site - Has * undefined return value. "When you have a problem that can only be resolved with regular expressions, you actually have two problems - /([^?=&]+)=([^&]*)/g and have your params be (match, key, value)  info credit StackOverflow's Alex.

Original htxp://resources.infolinks.com/js/infolinks_main.js has the "-ib.adnxs.com"-virus

But not given here: https://www.virustotal.com/en-gb/file/48053f4266e32bf38b2bc67aa3c04aa0737c3acee55818e5dcfcc6df720bbd0c/analysis/1472353740/
Anyways it is unauthenticated insecure script being loaded - and related to adware, should be avoided in WordPress etc.:
http://stackoverflow.com/questions/36898894/how-to-fix-page-trying-to-load-scripts-from-unauthenticated-source

found JavaScript
     error: undefined function console.log
     error: undefined variable location.search
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var location.search = 1;
          error: line:1: ....^
     info: [element] URL=127.0.0.1/undefined
     info: [element] URL=-ib.adnxs dot com/getuid?%2F%2Frouter.infolinks dot com%2Fdyn%2Fan-usersync%3Fid%3D%24UID *
     info: [decodingLevel=1] found JavaScript

Quote from js unpack validation.
* Page blocked by Dr.Web Link Checker

Dr.Web prevents you from following the advertising link to ensure your privacy. If you still want to follow this link, click the “Open incognito” button. In this case, your browser will open the link in incognito mode. If you do not want to receive such warnings, change the lock level settings of Dr.Web Link Checker.

polonus (volunteer website security analyzer and website error-hunter)

P.S. @ DavidR - When DrWeb URL Checker prevents following that link, then why AOS does not? Puzzling to me this...

Damian

[DavidR]

<snip>
P.S. @ DavidR - When DrWeb URL Checker prevents following that link, then why AOS does not? Puzzling to me this...

Damian

I don't believe the AOS scans ahead/proactively like DrWeb URL Checker.

If you cast your mind back to when A V G used to scan URLs in the page you were viewing it really slowed down browsing. The complaints that generated I believed killed that function.