Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Security Researcher: Jheto Xekri
- Date: January 17 2016
- Title: Suspicious Url
- Today a twitter user sent me a link something strange, the original url was:
- https://t.co/MOsA2guO0U this url is a URL Shortener type and redirects to http://micropointe.org/
- The user who sent me this is: https://twitter.com/MicroPointes
- The home site appers and small description about this site: "MicroPointe: Be alerted when jihadist chatter appears on social media in your backyard based on your search criteria."
- I immediately started to perform the analysis of the url, because maybe this are related with JIHAD or ISIS.
- An search on Whois show that:
- Domain Name: MICROPOINTE.ORG
- Domain ID: D169327155-LROR
- WHOIS Server:
- Referral URL: http://www.godaddy.com
- Updated Date: 2015-09-22T16:26:26Z
- Creation Date: 2013-07-30T18:58:32Z
- Registry Expiry Date: 2016-07-30T18:58:32Z
- Sponsoring Registrar: GoDaddy.com, LLC
- Sponsoring Registrar IANA ID: 146
- Domain Status: clientDeleteProhibited https://www.icann.org/epp#clientDeleteProhibited
- Domain Status: clientRenewProhibited https://www.icann.org/epp#clientRenewProhibited
- Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
- Domain Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProhibited
- Registrant ID: CR148155625
- Registrant Name: Registration Private
- Registrant Organization: Domains By Proxy, LLC
- Registrant Street: DomainsByProxy.com
- Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309
- Registrant City: Scottsdale
- Registrant State/Province: Arizona
- Registrant Postal Code: 85260
- Registrant Country: US
- Registrant Phone: +1.4806242599
- Registrant Phone Ext:
- Registrant Fax: +1.4806242598
- Registrant Fax Ext:
- Registrant Email: MICROPOINTE.ORG@domainsbyproxy.com
- Admin ID: CR148155627
- Admin Name: Registration Private
- Admin Organization: Domains By Proxy, LLC
- Admin Street: DomainsByProxy.com
- Admin Street: 14747 N Northsight Blvd Suite 111, PMB 309
- Admin City: Scottsdale
- Admin State/Province: Arizona
- Admin Postal Code: 85260
- Admin Country: US
- Admin Phone: +1.4806242599
- Admin Phone Ext:
- Admin Fax: +1.4806242598
- Admin Fax Ext:
- Admin Email: MICROPOINTE.ORG@domainsbyproxy.com
- Tech ID: CR148155626
- Tech Name: Registration Private
- Tech Organization: Domains By Proxy, LLC
- Tech Street: DomainsByProxy.com
- Tech Street: 14747 N Northsight Blvd Suite 111, PMB 309
- Tech City: Scottsdale
- Tech State/Province: Arizona
- Tech Postal Code: 85260
- Tech Country: US
- Tech Phone: +1.4806242599
- Tech Phone Ext:
- Tech Fax: +1.4806242598
- Tech Fax Ext:
- Tech Email: MICROPOINTE.ORG@domainsbyproxy.com
- Name Server: NS24.DOMAINCONTROL.COM
- Name Server: NS23.DOMAINCONTROL.COM
- DNSSEC: unsigned
- Other scan on Ulr black list show that: http://urlquery.net/queued.php?id=860705832
- This url are related this the next reports:
- [www.geokop.net/tzz/tscon.php?portaloftesco]
- http://urlquery.net/report.php?id=1453072601469
- (Pishing)
- [alert.arrayoffers.com/proc.php?174c3e54f94634a30469f27caee0fa10c180856f]
- http://urlquery.net/report.php?id=1453072326321
- (Trojans/CrimeWare/Droppers)
- [publishyourphotographybook.com]
- publishyourphotographybook.com
- (Crypters for Trojans)
- [quinnmark.com/mailerror/hotmail/bekz.html]
- http://urlquery.net/report.php?id=1453058599336
- (Pishing)
- nmap 109.199.97.231 or nmap micropointe.org
- 1/tcp closed tcpmux
- 20/tcp closed ftp-data
- 21/tcp open ftp
- 25/tcp open smtp
- 53/tcp open domain
- 80/tcp open http
- 81/tcp open hosts2-ns
- 110/tcp open pop3
- 111/tcp closed rpcbind
- 113/tcp closed ident
- 143/tcp open imap
- 443/tcp open https
- 465/tcp open smtps
- 993/tcp open imaps
- 995/tcp open pop3s
- 2525/tcp closed ms-v-worlds
- 3306/tcp open mysql
- 5432/tcp closed postgresql
- 34571/tcp closed unknown
- 34572/tcp closed unknown
- 34573/tcp closed unknown
- Too i do an scan of vulnerabilities of this site with OpenVas and i detect that:
- [http TRACE XSS attack]
- Debugging functions are enabled on the remote HTTP server.
- The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
- It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers.
- An attacker may use this flaw to trick your legitimate web users to give him their credentials.
- [Missing httpOnly Cookie Attribute]
- The application is missing the 'httpOnly' cookie attribute
- I think these guys are preparing a bank tappet using this platform to spread crimeware.
- You can contact me in:
- Profile web: http://about.me/jheto.xekri
- or by Email: jheto.xekri@outlook.com
- or by Whatsapp: +573122844198
- or by Skype: jheto.xekri
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement