Author Topic: Website recently infested, cleansed, and still with vulnerable CMS.... (Read 4190 times)

polonus · « **on:** September 24, 2016, 02:39:21 PM »

Do not visit website as it may have content of a nature, that you might not feel comfortable with (gay horror).

Briefly this site was infested with SE visitors redirect to a pharma-spam site (now cleansed - that was two days ago
main domain site was infested, and is now directing to a cleansed www address).

SE visitors redirects
Visitors from search engines were redirected
to: -http://top-24h-can-store.com/redirect.php?z=vi*gr*
359 sites are/were infected with redirects to this URL

This was GoDaddy abuse:

CMS: WordPress Version
4.3.6
Version does not appear to be latest 4.6 - update now

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

contact-form-7 3.9.1 latest release (4.5) Update required
http://contactform7.com/
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Retirable jQuery:
-http://damianserbu.com
Detected libraries:
jquery-migrate - 1.2.1 : -http://www.damianserbu.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://www.damianserbu.com/wp-includes/js/jquery/jquery.js?ver=1.11.3
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code

Insecure Website: 33% of the trackers on this site could be protecting you from NSA snooping. Tell damianserbu.com to fix it.

Tweet
All trackers
At least 3 third parties know you are on this webpage.

-shaaaaaaaaaaaaa.com
-www.damianserbu.com
-damianserbu.com -damianserbu.com

Tracker could be tracking safely if this site was secure.

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #1 on:** September 24, 2016, 06:58:46 PM »

Another example of a website cleansed of SE redirect infection and still with security issues =
Re: -https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.axiscorner.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.axiscorner.com%2F
Retirables: -http://www.axiscorner.com/
Detected libraries:
jquery - 53b59bc8 : -http://www.axiscorner.com/assets/53b59bc8/jquery.js?v=1472966858
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 2.1.4 : (active1) -http://www.axiscorner.com/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code

Info proliferation: The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Apache/2.4.23
X-Powered-By: PHP/5.5.37
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

Re: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fwww.axiscorner.com%2F

Results OK A-Status: https://sritest.io/#report/7d98b50b-8f95-4a33-b299-55c77801c34d

GoDaddy hosting bad web rep: https://www.mywot.com/en/scorecard/ip-166-62-28-101.ip.secureserver.net?utm_source=addon&utm_content=contextmenu

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #2 on:** September 24, 2016, 07:11:49 PM »

Found some 'yii javascript module' errors in code from this uri: http://www.axiscorner.com/cdn/js/core.js?v=1459005112
Went over the script there with a javascript unpacker.....and stumbled upon these code hick-ups/errors...

Quote

found JavaScript
error: line:4: SyntaxError: missing } in compound statement:
error: line:4: move(); } }) }); } return pub; })(jQuery); jQuery(document).ready(function () { yii.initModule(yii); });
error: line:4: ...^

Change single line (//) to multi-line comments(/** **/) and several close braces: } missing - html backend content causing error.
info credits: Stackoverflow's MarcoK.

polonus

polonus · « **Reply #3 on:** December 04, 2016, 10:38:40 PM »

Also an ongoing pharmaspam redirect campaign: http://killmalware.com/dotpattern.com/#
Likely a .htaccess file hack: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fdotpattern.com&ref_sel=GSP2&ua_sel=ff&fs=1
IP abuse: https://cymon.io/72.167.232.77
Many script files that we rather see blocked (adware): http://retire.insecurity.today/#!/scan/b770b0baeba3d46d54616c5d03881e5c217289cf6690934cc2a45eb3d2b8ce9d
like for instance -http://www.jdoqocy.com/placeholder-5171634?target=_blank&mouseover=N

polonus

polonus · « **Reply #4 on:** December 12, 2016, 04:16:09 PM »

That SE redirect campains goes on - Update: SE visitors redirects
Visitors from search engines are redirected
to: htxp://top-24h-can-store.com/redirect.php?z=vi*gr*
474 sites infected with redirects to this URL
-> https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fopticalarchitects.com&ref_sel=GSP2&ua_sel=ff&fs=1

On the IP: https://www.threatcrowd.org/ip.php?ip=188.121.59.128
and https://cymon.io/188.121.59.128 -> http://db.aa419.org/fakebanksview.php?key=67660

polonus

polonus · « **Reply #5 on:** December 16, 2016, 04:14:10 PM »

SE-redirect campain still comtinuing: http://killmalware.com/earthscape.co/#

Insecure WordPress CMS: WordPress Version
3.6.1
Version does not appear to be latest 4.7 - update now.

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

contact-form-7 3.4.1   latest release (4.6) Update required
http://contactform7.com/

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   admin   admin
2      None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

2 vuln. jQuery libraries detected: http://retire.insecurity.today/#!/scan/1d64178d6988b08b8b2575eba311d337e6fa21560304770368a916d65f6fd657

F-F-X status: https://observatory.mozilla.org/analyze.html?host=www.earthscape.co

This seems OK -> A-status: https://sritest.io/#report/68acab79-cc09-4090-a512-67e6440df5e7

Insecure IDs tracking:

50% of the trackers on this site could be protecting you from NSA snooping. Tell earthscape.co to fix it.

All trackers
At least 2 third parties know you are on this webpage.

-ajax.googleapis.com -Google
-www.earthscape.co

polonus

TrueIndian · « **Reply #6 on:** December 16, 2016, 04:33:03 PM »

Godaddy again:
http://urlquery.net/report.php?id=1481901911407

Killmalware reports search engine redirects.However,this site has a suspicious plugin:
http://zulu.zscaler.com/seen/6bc86ff0162785f1c6b06e006f6d4363-1481901905

ASN 26496 (GoDaddy) has risk 50.0

Scan of the html data:
https://virustotal.com/en/file/5d9507106e545660f0ead3537c67bb1ae5772a5f9d3b3b2db09331b1bf343e4c/analysis/

Not advisable to visit the site without noscript.There might be other redirect plugins.

Thanks,
TI.

TrueIndian · « **Reply #7 on:** December 16, 2016, 04:41:05 PM »

Did some detective work on the plugin,cross site scripting scanner reports:

Quote

The page you are trying to analyse is trying to redirect you to the following address:

hxtp://top-24h-can-store.com/redirect.php?z=viagra

The plugin reported by zscalar is the redirector::

Code: [Select]

hxtp://www.earthscape.co/wp-includes/js/jquery/jquery.js?ver=1.10.2

polonus · « **Reply #8 on:** December 16, 2016, 04:52:29 PM »

Hi TI199,

Q.E.D., quod erat demonstrandum (Q.E.D.), what was to be demonstrated,
SE redirect OK, or as we detected rather not OK, but then assisted by workings of ajax.googleapis.com
(50% insecure tracking detected, and I wonder as in howfar this is un- or protected by same-origin?).
-> http://retire.insecurity.today/#!/scan/1d64178d6988b08b8b2575eba311d337e6fa21560304770368a916d65f6fd657

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #9 on:** December 16, 2016, 04:58:23 PM »

Hi TI199,

Even in the everyday digital world we see we are gliding more and more into the dark side of Kali demon, my good friend.
All that we see is not what it seems and it is certainly so, when analyzing code.

polonus

TrueIndian · « **Reply #10 on:** December 16, 2016, 05:02:47 PM »

Quote from: polonus on December 16, 2016, 04:58:23 PM

Hi TI199,

Even in the everyday digital world we see we are gliding more and more into the dark side of Kali demon, my good friend.
All that we see is not what it seems and it is certainly so, when analyzing code.

polonus

I would agree with you.There is more than meets the eye.Thanks for the analysis.Surely,that plugin is bad.But I hope we can beat them together.Side by side!!

Yours truely,
TI (True Indian).