Malware spreading Word Press website...

[polonus]

Read: https://urlhaus.abuse.ch/host/21-carat.com/   ... OVH France abuse...

XSS-DOM - Results from scanning URL: -http://21-carat.com
Number of sources found: 17
Number of sinks found: 1214

Results from scanning URL: -https://21-carat.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 41
Number of sinks found: 17

Malware tags: Online/doc/emotet/ext/epoch3/heodo ext

Not detected here: https://sitecheck.sucuri.net/results/https/21-carat.com
(outdated PHP software version)...

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

L.S.

When checking that site's IP for fraud risk, we get a high fraud risk of 32:
see: https://scamalytics.com/ip/51.91.236.193

At VT we find 2 solutions to detect this IP:
https://www.virustotal.com/gui/ip-address/51.91.236.193/detection

And at https://www.virustotal.com/gui/ip-address/51.91.236.193/relations
we see ample detection of communicating files (so forewarned is forearmed),

polonus

[polonus]

This is what you get going there:
-https://docs.ovh.com/gb/en/hosting/web_hosting_error_-_website_not_installed/
and

HTML
-51.91.236.193/
8,921 bytes, 103 nodes

Javascript 5   (external 0, inline 5)
INLINE: Object.defineProperty(screen, "availTop", { value: 0 }); Object.defineProperty(s
2,882 bytes

INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
38,144 bytes

INLINE: Object.defineProperty(screen, "availTop", { value: 0 }); Object.defineProperty(s
2,882 bytes

INLINE: var utcDate = new Date(new Date().getTime()).toISOString();
254 bytes

CSS 2   (external 1, inline 1)
-51.91.236.193/__ovhp/common/css/​style.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

In case of the following malware-(emotet)spreading Word Press website, which is being blacklisted,
even access to directory listing is prohibited by the Sucuri WebSite Firewall.

See reported website: https://urlhaus.abuse.ch/url/734220/

SERVER DETAILS
Web Server:
LiteSpeed
IP Address:
45.252.248.20
Hosting Provider:
AZDIGI-AS-VN AZDIGI Corporation, VN
Shared Hosting:
500 sites found (use Reverse IP to download list)
Title:
Index of /wp-includes/

  No configuration setting issues, but directory listing enabled.
path = /wp-includes/Overview/ct5u1XXXXXhbd/">ct5uXXXXXwhbd</a> 22-Oct-2020 10:55 - which is kicking up that malware -> and Spamhouse and Trustwave detect:
https://www.virustotal.com/gui/url/be6ee9e4ecdf9e8d6f0daea6fa70f4c5493e6d40a0f83a63ad9de0fc4902a0fc/detection

10 detected files with this IP address:
https://www.virustotal.com/gui/ip-address/45.252.248.20/relations
See all the vulnerabilities on that hoster of IP: https://www.shodan.io/host/45.252.248.20

Malware link also opens up to URL: -https://i5cdnimg-a.akamaihd.net/__media__/js/min.js?v2.2
Medianet Advertising.

avascript 6   (external 0, inline 6)
INLINE: // Catch errors if signal is already set by user agent or other extensi...
402 bytes

INLINE: // Catch errors if signal is already set by user agent or other extensi...
402 bytes

INLINE: try { Object.defineProperty(screen, "availTop", { value:
4,253 bytes

INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete...
1,238 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
38,144 bytes

INLINE: try { Object.defineProperty(screen, "availTop", { value:
4,253 bytes

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

This one is also not found up by the main scan engines:
https://sitecheck.sucuri.net/results/mulherdealtaperformance.com.br

Same sort of malware spreader, this: -mulherdealtaperformance.com.br/
according to URLhaus: https://urlhaus.abuse.ch/host/mulherdealtaperformance.com.br/

polonus

[polonus]

Then this one opening up on ...../bins/ Parent Directory on vulnerable web server - <address>Apache/2.2.15 (CentOS) Server at moon.leasevps dot com Port 80</address>  infesting with ddos, elf & mirai.

See: https://urlhaus.abuse.ch/url/739437/

polonus