Author Topic: vbs-malware and RAT - weak php involved..  (Read 1156 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
vbs-malware and RAT - weak php involved..
« on: July 12, 2020, 05:10:37 PM »
Where?, see: https://urlhaus.abuse.ch/url/411994/https://urlhaus.abuse.ch/url/411993/
GData and other engines detect, does avast also flag this?

DOM XSS scan results: Results from scanning URL: -http://expdom.ru/tarif.php
Number of sources found: 8
Number of sinks found: 56
Link found towards: Results from scanning URL: -https://localsportsrightnow.com/
Number of sources found: 46
Number of sinks found: 21 - consider: hxtp://sedoparking.com/frmpark/localsportsrightnow.com/skenzor17/park.js

In the code we find
Quote
<ul class="top-nav">
<li><a href="index.php">Главная</a></li>
<li><a href="news.php">Новости</a></li>
<li><a href="uslugi.php">Услуги</a></li>
<li><a href="dogovor_yprav.php">Договор Управления</a></li>
<li><a href="tarif.php" class="active">Тарифы</a></li>
<li><a href="homes.php">Перечень Домов</a></li>
<li><a href="otchet.php">Отчетность</a></li>
<li><a href="protocols_oss.php">Протоколы ОСС</a></li>
<li><a href="internet.php">Интернет Провайдеры</a></li>
<li><a href="work.php">Планы Работ</a></li>
<li><a href="prikaz.php">Приказы</a></li>
<li><a href="contact.php">Контакты</a></li>
</ul>

Microsoft development seems to have come to a decision: https://laravel-news.com/microsoft-dropping-php-support
Read also: https://www.reddit.com/r/PHP/comments/ho9dgq/microsoft_not_going_to_officially_support_php_8/fxgk1sc/
So others gonna have to do it.

polonus
« Last Edit: July 12, 2020, 05:15:32 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline chabandima2002

  • Newbie
  • *
  • Posts: 1
Re: vbs-malware and RAT - weak php involved..
« Reply #1 on: July 13, 2020, 06:03:18 PM »
Hello,I am an owner of this site.The Malware was successfully deleted,and I want to ask a question,are you normally?Malware was used in education purpose only.Okey,Why php is weak?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: vbs-malware and RAT - weak php involved..
« Reply #2 on: July 13, 2020, 06:58:06 PM »
Hi chabandima2002,

What I report always stems from third party cold reconnaissance scanning (other sources as here URLhaus).
Reported on the malware reported by URLhaus, so you have to ask there (and bark at that tree).
See: https://urlhaus.abuse.ch/host/expdom.ru/  and started from there (just for the QED).

Vulnerable php can indeed mean a threat to a website if not properly being sanitized (between webserver and client).
There are particular functions that when used could full well mean a risk.
That means also for PHP-based CMS.
Reporting on this also serves an educational purpose.

Site is still flagged: https://urlhaus.abuse.ch/host/expdom.ru/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!