« previous next »
Pages: [1]   Go Down

Author Topic: Redirecting malware through a sedoparking website...  (Read 3511 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Redirecting malware through a sedoparking website...
« on: May 28, 2020, 11:37:33 PM »
3 engines detect this already: https://www.virustotal.com/gui/url/0b0fcbf408ad68e49314ce41455d8cea8c417600e21de22e4b846b40b5beae9a/detection
and there is more than where that comes from at SEDO Gmbh:
https://www.virustotal.com/gui/ip-address/91.195.240.126/relations
Even abuse-ransomware.csv.

Starting from -webordermanager.com -> found at malware Domain List (now sedoparked) ->
Re: https://sitecheck.sucuri.net/results/https/img.sedoparking.com/js/jquery-1.11.3.custom.min.js
Number of sources found: 302
Number of sinks found: 5

While uBlock Original blocks this uri -http://webordermanager.com//search/portal.php? for me.
Consider: https://www.shodan.io/search?query=http%3A%2F%2Fwebordermanager.com%2F%2Fsearch%2Fportal.php%3F

and Results from scanning URL: -https://img.sedoparking.com/js/jquery-1.11.3.custom.min.js  (given the all green);
Number of sources found: 27
Number of sinks found: 17
&
Results from scanning URL: -https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Number of sources found: 42
Number of sinks found: 0  (1 medium vulnerability -> https://snyk.io/vuln/npm:bootstrap )
&
Results from scanning URL: -https://code.jquery.com/jquery-3.3.1.min.js
Number of sources found: 34
Number of sinks found: 15
&
Results from scanning URL: -https://use.fontawesome.com/releases/v5.8.1/js/all.js
Number of sources found: 34
Number of sinks found: 11

Reverse look-up -> redirector-sjl.enom dot com using AIX IFS Vulnerability to get domains to set-up mail addresses,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

« Last Edit: May 29, 2020, 12:47:45 AM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: Redirecting malware through a sedoparking website...
« Reply #1 on: May 30, 2020, 02:02:53 AM »
See
Quote
<html class="wf-roboto-n3-active wf-roboto-n4-active wf-roboto-n5-active wf-active">

<head>
    <link rel="stylesheet" href="-https://fonts.googleapis.com/css?family=Roboto:300,400,500" media="all">
    <link rel="stylesheet" href="-https://fonts.googleapis.com/css?family=Roboto:300,400,500" media="all">
    <style data-styled="" data-styled-version="4.4.1"></style>
</head>

<body>
    <h1>Hostname not configured</h1>The hostname you requested is not currently configured.</body>
<div class="notranslate" style="position: absolute; top: 0; right:0;" id="vd-root-d19608294"></div>

</html>
fo nts ROBOTO-Medium

Server: https://publicwww.com/websites/%22Server:%20CFS+0215%22/  -> https://www.shodan.io/search?query=Server%3A+CFS+0215  NET::ERR_CERT_COMMON_NAME_INVALID

polonus

Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »