« previous next »
Pages: [1]   Go Down

Author Topic: A PHISH on an insecure website with Word Press CMS  (Read 1069 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33923
  • malware fighter
A PHISH on an insecure website with Word Press CMS
« on: June 09, 2019, 02:17:15 PM »
Re: https://urlquery.net/report/cabd2d48-a558-4add-b735-4ad735083762
31 instances of PHISHING.

WordPress Version -Version does not appear to be latest
See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lmt0bXN0dSNbXS5wbA%3D%3D~enc

16 direct threats: https://app.upguard.com/#/ktmstudio.pl/images/wp-admin/index.html

Dom-XSS issues: results from scanning URL: -http://www.ktmstudio.pl/wp-content/themes/monstroid2/assets/js/jquery.ui.totop.min.js?ver=1.2.0
Number of sources found: 41
Number of sinks found: 17
& results from scanning URL: -http://www.ktmstudio.pl/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=4.4.6
Number of sources found: 56
Number of sinks found: 10
Site blacklisted: https://sitecheck.sucuri.net/results/www.ktmstudio.pl

Outdated Software Detected
PHP under 7.3.1

1 vuln. library detected: https://retire.insecurity.today/#!/scan/b36ce29efbe3fd253be1ebd308dc2853e691f31968cf56a9d1e60914ae6e808b
jquery   1.12.4   Found in -http://www.ktmstudio.pl/wp-includes/js/jquery/jquery.js?ver=1.12.4
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

Detected 110 times during last 30 days: https://checkphish.ai/ip/195.162.24.218
195.162.24.218 · 02.04.2019 [ K ], PL, Scan Attempt: SystemKylosHack-Info. AS48505 Kylos sp. z o.o. | Kylos | Kylos sp. z o.o.. Poland, Łódź.  flagged at http://fackers.ru/page/31/

it’s not very smart to publish just IP addresses or ranges. It is not a secret that many IP addresses are dynamic, therefore, to search for a bully you need data on the date and time of the attack, and preferably an extract from the log file.  info credits go to Инкогнито

Additional IP info can however be sought from -VT, Shodan, Censys (account), Netcraft Site Report, urlscan.io/#195.162.24.218 (11 months ago)

polonus (volunteer 3rd party cold reconnaisance website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »