tirsova.rs spread malware - Printable Version

tirsova.rs spread malware - Printable Version

+- Bezbedan Balkan (https://bezbedanbalkan.net)
+-- Forum: Bezbednost državnih resursa (https://bezbedanbalkan.net/forum-5.html)
+--- Forum: Kompromitovani resursi (https://bezbedanbalkan.net/forum-6.html)
+--- Thread: tirsova.rs spread malware (/thread-40.html)

tirsova.rs spread malware - maxxa - 09-19-2022

Detektovan Malware.JS/Malscript.G13

Inficirani fajlovi:

Quote:hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/LayerSlider/js/jquery-easing-1[.]3[.]js?ver=1[.]3[.]0
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/LayerSlider/js/jquerytransit[.]js?ver=0[.]9[.]9
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/LayerSlider/js/layerslider[.]kreaturamedia[.]jquery[.]js?ver=4[.]6[.]3
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/LayerSlider/js/layerslider[.]transitions[.]js?ver=4[.]6[.]3
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/contact-form-7/includes/js/jquery[.]form[.]min[.]js?ver=3[.]51[.]0-2014[.]06[.]20
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/contact-form-7/includes/js/scripts[.]js?ver=4[.]4[.]1
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/custom-facebook-feed/js/cff-scripts[.]js?ver=2[.]4[.]6
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/custom-twitter-feeds/js/ctf-scripts[.]js?ver=1[.]2[.]7
hxxp[:]//tirsova[.]rs/lat/wp-content/plugins/instagram-feed/js/sb-instagram[.]min[.]js?ver=1[.]5
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/bootstrap[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/custom[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/fancy/jquery[.]fancybox-buttons[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/fancy/jquery[.]fancybox-media[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/fancy/jquery[.]fancybox-thumbs[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/fancy/jquery[.]fancybox[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/html5shiv[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/jquery[.]mixitup[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/jquery[.]mousewheel[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/jquery[.]prettyLoader[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/jquery[.]prettyPhoto[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/jquery[.]roundabout[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/jquery[.]touchSwipe[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/modernizr[.]custom[.]46884[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/owl[.]carousel[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/script[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-content/themes/tirsova-lat/js/wishlist-functions[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/comment-reply[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/jquery/jquery-migrate[.]min[.]js?ver=1[.]2[.]1
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/jquery/jquery[.]js?ver=1[.]11[.]3
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/jquery/ui/effect-blind[.]min[.]js?ver=1[.]11[.]4
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/jquery/ui/effect[.]min[.]js?ver=1[.]11[.]4
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/wp-embed[.]min[.]js?ver=4[.]4[.]27
hxxp[:]//tirsova[.]rs/lat/wp-includes/js/wp-emoji-release[.]min[.]js?ver=4[.]4[.]27

Report sa urlquery

Nikada updateovani WordPress 4.4.28

Obaveštena klinika na zvanični email sa sajta, kao i nacionalni CERT.

RE: tirsova.rs spread malware - 1van - 09-19-2022

I to tako stoji ko zna od kada jel da?

RE: tirsova.rs spread malware - maxxa - 09-19-2022

O da, ima par meseci da sam ja to prijavio, detektovao pre toga... Mogu da pokušam da iskopam kod mene na AV-u kada je bio prvi alarm pa da imamo okvirno od kada je.

Ostala mi je još jedna potencijalna šansa za prijavu, na sajtu esigurnost.rs u odeljku članovi sam video gospodina Aleksandar Vukalović koji je (po opisu, i po linkedinu) Savetnik Ministra zdravlja za IT pa sam mislio još i njemu da pišem.

RE: tirsova.rs spread malware - y0d4 - 10-10-2022

mozda bi bilo bolje da ga navucemo na ovaj forum :>

RE: tirsova.rs spread malware - 1van - 10-12-2022

I VirusTotal link: https://www.virustotal.com/gui/url/578e449222ad57f6f86c883af61b710c4c83d4260f801e7a9423a858f76ce9ee/detection

RE: tirsova.rs spread malware - maxxa - 10-25-2022

U međuvremenu su napredovali pa se desilo i da su se pojavile reklame za steroide.

Filename: Screenshot_20221025_173516.png Size: 143.52 KB 10-25-2022, 05:58 PM

Filename: Screenshot_20221025_173556.png Size: 147.95 KB 10-25-2022, 05:58 PM

RE: tirsova.rs spread malware - maxxa - 11-16-2022

Možda im je istekao sert, ali nije bitno jer je sajt u izradi i verujem da će rešiti i sert do lansiranja novog sajta Smile

Nisu mi nikada odgovorili ni na jedan email, ali nije bitno - bitno je da je zaustavljen malware spreading (a mene ako se sete za dan bezbednosti sete) sa tako prometnog sajta Cool

Filename: Screenshot_20221116_163223.png Size: 47.26 KB 11-16-2022, 03:40 PM

Filename: Screenshot_20221116_163157.png Size: 71.56 KB 11-16-2022, 03:40 PM

Filename: Screenshot 2022-11-16 at 16-32-35 Sajt u izradi.png Size: 71.41 KB 11-16-2022, 03:40 PM

RE: tirsova.rs spread malware - maxxa - 12-16-2022

Novi sajt je stigao! Smile

Malo bezi CSS, ali nije frka.

Filename: novatirsova.png Size: 517.5 KB 12-16-2022, 10:37 AM

Ponovo je wodrpress i... directory listing Smile

https://tirsova.rs/wp-content/uploads/

RE: tirsova.rs spread malware - 1van - 12-15-2023

IP Adrese:

Izvor URLQuery: 79.175.68.3
Izvor VirusTotal: 162.55.238.114