Author Topic: ESET and fortinet detect this domain with Metamorfo malcode  (Read 808 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: https://www.virustotal.com/gui/url/2ef5cf82209393a5844b756c061bd8454dc8647f721520b025f33c70bc190b88/detection
On that domain https://urlhaus.abuse.ch/host/borawebservicioscl1.com/
Re: https://www.shodan.io/host/187.17.111.35
Not flagged elsewhere: Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK
Web Server:
Apache
X-Powered-By:
None
IP Address:
-187.17.111.35
Hosting Provider:
Universo Online S.A.
Shared Hosting:
1 sites found on -187.17.111.35

Now Spamhaus detects IP: https://www.virustotal.com/gui/ip-address/187.17.111.35/detection

Blacklisted earlier: https://sitecheck.sucuri.net/results/borawebservicioscl1.com/desporto/F0AS2F4AS01FA4.luk

Opens up to DOM_XSS-results from scanning URL: -https://powozimiduti.mihanblog.com/
Number of sources found: 4
Number of sinks found: 704
See vulnerabilities on IP-hoster: https://www.shodan.io/host/5.144.133.146
&
on -https://borawebservicioscl1.com/../ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js
Number of sources found: 1
Number of sinks found: 1
with
Quote
Javascript 1   (external 0, inline 1)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

CSS 1   (external 0, inline 1)
INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
« Last Edit: May 06, 2020, 05:03:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: ESET and fortinet detect this domain...
« Reply #1 on: May 06, 2020, 04:58:27 PM »
Other detections on IP (IP related): https://www.virustotal.com/gui/ip-address/187.17.111.35/relations
and the blog that was found with the DOM-XSS scan:
-mihan.blog is insecure. -Retire.js
Quote
jquery   1.8.2   Found in -http://static.mihanblog.com//public/scripts/run/jquery.min.js<br>Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

and
Quote
This website is insecure.
50% of the trackers on this site could be protecting you from NSA snooping. Tell -mihanblog.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

-m0 mihanblog.commib_lb_id
  Not vulnerable script...but see vuln. on hoster's IP: https://www.shodan.io/host/5.144.133.146

pol
« Last Edit: May 06, 2020, 05:12:36 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: ESET and fortinet detect this domain with Metamorfo malcode
« Reply #2 on: May 06, 2020, 05:26:37 PM »
More interlinked from this source: Results from scanning URL: -https://overheaddoormainnumber.net/
Number of sources found: 3
Number of sinks found: 201  - residing on -209-99-64-71.fwd.datafoundry.com (upgrade insecure request)
&
Results from scanning URL: -http://tecnigrav.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 0
Number of sinks found: 3
&
Results from scanning URL: -http://tecnigrav.com/wp-content/plugins/woocommerce-multilingual/res/js/tooltip_init.min.js?ver=4.0.3
Number of sources found: 0
Number of sinks found: 0
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!