Author Topic: This beta bot domain detected?  (Read 1066 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
This beta bot domain detected?
« on: May 02, 2020, 07:03:29 PM »
Re: url =    -ozz.su/encode/login.php
IP: -45.10.88.69 See: https://www.virustotal.com/latest-scan/http://ozz.su/encode/login.php
where 4 detect. -http://ozz.su/encode/login.php is in Dr.Web malicious sites list!
See also: https://domainwat.ch/site/ozz.su
IP relation recent detections: https://www.virustotal.com/gui/ip-address/45.10.88.69/relations
On IP hoster: https://www.shodan.io/host/45.10.88.69
nginx services:

| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE  TIME              FILENAME
| -     2020-05-01 20:55  __MACOSX/
| -     2020-04-18 15:32  __MACOSX/guadox/
| -     2020-04-18 15:43  __MACOSX/h1n1/
| -     2013-12-29 08:27  beta017.1/
| -     2020-02-24 19:01  blackbot/
| -     2015-03-12 03:46  encode/
| -     2020-04-18 15:35  guadox/
| 1.3K  2015-12-16 04:12  guadox/captcha.php
| -     2020-04-13 21:37  guadox/css/
| -     2020-04-13 21:37  guadox/fonts/
|_

Retirable jQuery libraries: https://retire.insecurity.today/#!/scan/b88d43afa01af43f8cff0c9eda2969f654f05c03bd53620003ad68ae22b5d3a8

Links to widget_manager found: -https://jlinkjuice.blogspot.com/

polonus (volunteer 3rd party cold recon website security and website error-hunter)
« Last Edit: May 02, 2020, 07:09:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: This beta bot domain detected?
« Reply #1 on: May 05, 2020, 01:43:30 PM »
A Betabot analysis: https://www.hybrid-analysis.com/sample/26bf53dce1387952603dd95556827be14791fb879396f26a1b366e1b24f8246f?environmentId=100
On that IP: https://www.shodan.io/host/173.249.6.41
On relations of that IP detected: https://www.virustotal.com/gui/ip-address/173.249.6.41/relations
Domain only detected by Bitdefender's TrafficLight: https://www.virustotal.com/gui/url/e0df2287a963ec26b74c590e805320e0270c7dbf7e03bdb2ca65565908acebfb/detection
Now given as clean, because kicking up an error: HTTP ERROR 503
Error: Access is denied to chrome:// and Chrome Store pages
Has migrated here: https://www.shodan.io/host/195.20.54.15
Proxy Error
The proxy server received an invalid response from an upstream server. (-http://domain.dot.tk/p/?d=SKYDA.ML&i=85.149.115.163&c=31&ro=0&ref=unknown&_=1588678550114)
The proxy server could not handle the request GET /p/.
Reason: Error reading from remote server
Vulnerable: Bootstrap, script - 3.3.7
Site marked as untrustworthy by Avast Web Security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!