Author Topic: Malware spreading Word Press website...  (Read 3287 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33992
  • malware fighter
Malware spreading Word Press website...
« on: October 20, 2020, 05:18:59 PM »
Read: https://urlhaus.abuse.ch/host/21-carat.com/   ... OVH France abuse...

XSS-DOM - Results from scanning URL: -http://21-carat.com
Number of sources found: 17
Number of sinks found: 1214

Results from scanning URL: -https://21-carat.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 41
Number of sinks found: 17

Malware tags: Online/doc/emotet/ext/epoch3/heodo ext

Not detected here: https://sitecheck.sucuri.net/results/https/21-carat.com
(outdated PHP software version)...

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33992
  • malware fighter
Re: Malware spreading Word Press website...
« Reply #1 on: October 21, 2020, 01:05:32 AM »
L.S.

When checking that site's IP for fraud risk, we get a high fraud risk of 32:
see: https://scamalytics.com/ip/51.91.236.193

At VT we find 2 solutions to detect this IP:
https://www.virustotal.com/gui/ip-address/51.91.236.193/detection

And at https://www.virustotal.com/gui/ip-address/51.91.236.193/relations
we see ample detection of communicating files (so forewarned is forearmed),

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33992
  • malware fighter
Re: Malware spreading Word Press website...
« Reply #2 on: October 21, 2020, 01:16:06 AM »
This is what you get going there:
-https://docs.ovh.com/gb/en/hosting/web_hosting_error_-_website_not_installed/
and
Quote
HTML
-51.91.236.193/
8,921 bytes, 103 nodes

Javascript 5   (external 0, inline 5)
INLINE: Object.defineProperty(screen, "availTop", { value: 0 }); Object.defineProperty(s
2,882 bytes

INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
38,144 bytes

INLINE: Object.defineProperty(screen, "availTop", { value: 0 }); Object.defineProperty(s
2,882 bytes

INLINE: var utcDate = new Date(new Date().getTime()).toISOString();
254 bytes

CSS 2   (external 1, inline 1)
-51.91.236.193/__ovhp/common/css/​style.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33992
  • malware fighter
Re: Malware spreading Word Press website...
« Reply #3 on: October 22, 2020, 01:49:45 PM »
In case of the following malware-(emotet)spreading Word Press website, which is being blacklisted,
even access to directory listing is prohibited by the Sucuri WebSite Firewall.

See reported website: https://urlhaus.abuse.ch/url/734220/
Quote
SERVER DETAILS
Web Server:
LiteSpeed
IP Address:
45.252.248.20
Hosting Provider:
AZDIGI-AS-VN AZDIGI Corporation, VN
Shared Hosting:
500 sites found (use Reverse IP to download list)
Title:
Index of /wp-includes/
  No configuration setting issues, but directory listing enabled.
path = /wp-includes/Overview/ct5u1XXXXXhbd/">ct5uXXXXXwhbd</a> 22-Oct-2020 10:55 - which is kicking up that malware -> and Spamhouse and Trustwave detect:
https://www.virustotal.com/gui/url/be6ee9e4ecdf9e8d6f0daea6fa70f4c5493e6d40a0f83a63ad9de0fc4902a0fc/detection

10 detected files with this IP address:
https://www.virustotal.com/gui/ip-address/45.252.248.20/relations
See all the vulnerabilities on that hoster of IP: https://www.shodan.io/host/45.252.248.20

Malware link also opens up to URL: -https://i5cdnimg-a.akamaihd.net/__media__/js/min.js?v2.2
Medianet Advertising.

Quote
avascript 6   (external 0, inline 6)
INLINE: // Catch errors if signal is already set by user agent or other extensi...
402 bytes

INLINE: // Catch errors if signal is already set by user agent or other extensi...
402 bytes

INLINE: try { Object.defineProperty(screen, "availTop", { value:
4,253 bytes

INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete...
1,238 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
38,144 bytes

INLINE: try { Object.defineProperty(screen, "availTop", { value:
4,253 bytes

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
« Last Edit: October 22, 2020, 02:16:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33992
  • malware fighter
Re: Malware spreading Word Press website...
« Reply #4 on: October 22, 2020, 02:29:12 PM »
This one is also not found up by the main scan engines:
https://sitecheck.sucuri.net/results/mulherdealtaperformance.com.br

Same sort of malware spreader, this: -mulherdealtaperformance.com.br/
according to URLhaus: https://urlhaus.abuse.ch/host/mulherdealtaperformance.com.br/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33992
  • malware fighter
Re: Malware spreading Word Press website...
« Reply #5 on: October 23, 2020, 12:43:51 PM »
Then this one opening up on ...../bins/ Parent Directory on vulnerable web server - <address>Apache/2.2.15 (CentOS) Server at moon.leasevps dot com Port 80</address>  infesting with ddos, elf & mirai.

See: https://urlhaus.abuse.ch/url/739437/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!