Author Topic: URL Malversting  (Read 1712 times)

0 Members and 1 Guest are viewing this topic.

Offline chordelord

  • Newbie
  • *
  • Posts: 6
URL Malversting
« on: March 21, 2023, 08:54:36 PM »
Hi team, I usually don't post what appears on the antivirus, but know I'm curiouss, can you explain me?
I get a constant attack from l1s.strn-test.pl what does exactly this mean? that somebody is trying to hit my ports?

But I'm using a VPN, how they know my adress?

is there a way to stop them?

this is the ID of the attack 6df891ec2d10/2023-03-21T19:49:28.127Z


Offline rocksteady

  • Super Poster
  • ***
  • Posts: 1533
Re: URL Malversting
« Reply #1 on: March 22, 2023, 12:30:19 PM »
Please include a screenshot of the Avast warning pop-up, including the "Details" part.

Offline chordelord

  • Newbie
  • *
  • Posts: 6
Re: URL Malversting
« Reply #2 on: March 22, 2023, 09:39:38 PM »
That was yesterday
<img src=https://i0002.clarodrive.com/ocs/v1.php/apps/amx_branding/api/v1/preview?fileId=2314812088&x=-1&y=-1&animated=true&crop=false>

And this one is from today
<img src=https://i0002.clarodrive.com/ocs/v1.php/apps/amx_branding/api/v1/preview?fileId=2314815898&x=-1&y=-1&animated=true&crop=false>

So whats the point of a VPN if you still get attacked
« Last Edit: March 24, 2023, 10:34:43 PM by chordelord »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: URL Malversting
« Reply #3 on: March 22, 2023, 10:23:27 PM »
Attach images to your post, posting links to unknown 3rd party sites, people won't visit.

Use the  Attachments and other options below the text window you use to post.

See attached screenshot on what to do.  Click to expand the image.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL Malversting
« Reply #4 on: March 22, 2023, 11:55:49 PM »
Witam chordelord,

2 vendors to flag this destination website address as with phishing: https://www.virustotal.com/gui/url/0fc58c467206dc550a35b016e4d1addd8b81ba4b6e571d2ad1e32e36b7cac4db

It is a bitcoin related phish, e.g. Filecoin phish on slack; but with only a 11,1% score of being a genuine PHISH,
this 'though site has been blacklisted by MacAfee's ->: https://sitecheck.sucuri.net/results/l1s.strn-test.pl
Returning a code 0. The site you give does not resolve (anymore).
See also: https://en.internet.nl/site/strn.network/1995899/

See: https://urlscan.io/result/176b4f90-2c71-4663-bafc-6b54902bbde3/#summary  (indicators).
Final redirect has very well implemented CSP (content security policy),

See also: https://www.virustotal.com/gui/url/3036234e614457bc9fb16981a665b12d1a89879d3905dad63ce4296284ba3c2a/details

So I would not worry that much, but wait for a final verdict from avast's team.

The second link you presented has lerss of a clickjacking protection: https://sitecheck.sucuri.net/results/https/i0002.clarodrive.com (but not malicious as such)
Re;
Quote

jquery   1.11.0   Found in htxps://www.clarodrive.com/js/jquery.min.js _____Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Stay safe and secure both online and offline, pozdrawiam,
'
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: March 23, 2023, 12:14:31 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: URL Malversting
« Reply #5 on: March 23, 2023, 12:14:26 AM »
<snip>
So whats the point of a VPN if you still get attacked

A VPN doesn't specifically protect from malware, it might hide your location, from the recipient.  But when your computer connects to a site (VPN connection or otherwise) it has to be able to send back to the originating IP or you wouldn't be able to browse the internet.

So if the connection originates from your system then the return comes back to your system and Avast would alert if it considers it malicious.  That is why we are asking for a screenshot of the alert.

Please include a screenshot of the Avast warning pop-up, including the "Details" part.

And why I showed how to do that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL Malversting
« Reply #6 on: March 23, 2023, 12:23:01 AM »
The alleged Filecoin phishing site does not resolve now anymore,
so was only short-lived.
Being behind a VPN or not; it is now "water under the bridge".

Nothing to do with the security of Filecoin (on strn.network)

It is vulnerability probably through lousy Java code implementation,
and then as DavidR correctly states a VPN will not protect
the end-user against such scam and phishing,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline chordelord

  • Newbie
  • *
  • Posts: 6
Re: URL Malversting
« Reply #7 on: March 24, 2023, 10:22:24 PM »
OK thanks everybody for their replies...I have several notifications, here is it one fresh

What you said about clarodrive, it should be harmless, is a cloud drive service, so shouldnt be any risk, I uploaded the pictures there.
« Last Edit: March 24, 2023, 10:33:50 PM by chordelord »