Suspicious Url

1. Security Researcher: Jheto Xekri
2. Date: January 17 2016
3. Title: Suspicious Url
4.  
5. Today a twitter user sent me a link something strange, the original url was:
6. https://t.co/MOsA2guO0U this url is a URL Shortener type and redirects to http://micropointe.org/
7.  
8. The user who sent me this is: https://twitter.com/MicroPointes
9.  
10. The home site appers and small description about this site: "MicroPointe: Be alerted when jihadist chatter appears on social media in your backyard based on your search criteria."
11.  
12. I immediately started to perform the analysis of the url, because maybe this are related with JIHAD or ISIS.
13.  
14. An search on Whois show that:
15.  
16. Domain Name: MICROPOINTE.ORG
17. Domain ID: D169327155-LROR
18. WHOIS Server:
19. Referral URL: http://www.godaddy.com
20. Updated Date: 2015-09-22T16:26:26Z
21. Creation Date: 2013-07-30T18:58:32Z
22. Registry Expiry Date: 2016-07-30T18:58:32Z
23. Sponsoring Registrar: GoDaddy.com, LLC
24. Sponsoring Registrar IANA ID: 146
25. Domain Status: clientDeleteProhibited https://www.icann.org/epp#clientDeleteProhibited
26. Domain Status: clientRenewProhibited https://www.icann.org/epp#clientRenewProhibited
27. Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
28. Domain Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProhibited
29. Registrant ID: CR148155625
30. Registrant Name: Registration Private
31. Registrant Organization: Domains By Proxy, LLC
32. Registrant Street: DomainsByProxy.com
33. Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309
34. Registrant City: Scottsdale
35. Registrant State/Province: Arizona
36. Registrant Postal Code: 85260
37. Registrant Country: US
38. Registrant Phone: +1.4806242599
39. Registrant Phone Ext:
40. Registrant Fax: +1.4806242598
41. Registrant Fax Ext:
42. Registrant Email: MICROPOINTE.ORG@domainsbyproxy.com
43. Admin ID: CR148155627
44. Admin Name: Registration Private
45. Admin Organization: Domains By Proxy, LLC
46. Admin Street: DomainsByProxy.com
47. Admin Street: 14747 N Northsight Blvd Suite 111, PMB 309
48. Admin City: Scottsdale
49. Admin State/Province: Arizona
50. Admin Postal Code: 85260
51. Admin Country: US
52. Admin Phone: +1.4806242599
53. Admin Phone Ext:
54. Admin Fax: +1.4806242598
55. Admin Fax Ext:
56. Admin Email: MICROPOINTE.ORG@domainsbyproxy.com
57. Tech ID: CR148155626
58. Tech Name: Registration Private
59. Tech Organization: Domains By Proxy, LLC
60. Tech Street: DomainsByProxy.com
61. Tech Street: 14747 N Northsight Blvd Suite 111, PMB 309
62. Tech City: Scottsdale
63. Tech State/Province: Arizona
64. Tech Postal Code: 85260
65. Tech Country: US
66. Tech Phone: +1.4806242599
67. Tech Phone Ext:
68. Tech Fax: +1.4806242598
69. Tech Fax Ext:
70. Tech Email: MICROPOINTE.ORG@domainsbyproxy.com
71. Name Server: NS24.DOMAINCONTROL.COM
72. Name Server: NS23.DOMAINCONTROL.COM
73. DNSSEC: unsigned
74.  
75. Other scan on Ulr black list show that: http://urlquery.net/queued.php?id=860705832
76.  
77. This url are related this the next reports:
78.  
79. [www.geokop.net/tzz/tscon.php?portaloftesco]
80. http://urlquery.net/report.php?id=1453072601469
81. (Pishing)
82.  
83. [alert.arrayoffers.com/proc.php?174c3e54f94634a30469f27caee0fa10c180856f]
84. http://urlquery.net/report.php?id=1453072326321
85. (Trojans/CrimeWare/Droppers)
86.  
87. [publishyourphotographybook.com]
88. publishyourphotographybook.com
89. (Crypters for Trojans)
90.  
91. [quinnmark.com/mailerror/hotmail/bekz.html]
92. http://urlquery.net/report.php?id=1453058599336
93. (Pishing)
94.  
95. nmap 109.199.97.231 or nmap micropointe.org
96.  
97. 1/tcp closed tcpmux
98. 20/tcp closed ftp-data
99. 21/tcp open ftp
100. 25/tcp open smtp
101. 53/tcp open domain
102. 80/tcp open http
103. 81/tcp open hosts2-ns
104. 110/tcp open pop3
105. 111/tcp closed rpcbind
106. 113/tcp closed ident
107. 143/tcp open imap
108. 443/tcp open https
109. 465/tcp open smtps
110. 993/tcp open imaps
111. 995/tcp open pop3s
112. 2525/tcp closed ms-v-worlds
113. 3306/tcp open mysql
114. 5432/tcp closed postgresql
115. 34571/tcp closed unknown
116. 34572/tcp closed unknown
117. 34573/tcp closed unknown
118.  
119. Too i do an scan of vulnerabilities of this site with OpenVas and i detect that:
120.  
121. [http TRACE XSS attack]
122.  
123. Debugging functions are enabled on the remote HTTP server.
124.  
125. The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
126.  
127. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers.
128.  
129. An attacker may use this flaw to trick your legitimate web users to give him their credentials.
130.  
131.  
132. [Missing httpOnly Cookie Attribute]
133.  
134. The application is missing the 'httpOnly' cookie attribute
135.  
136.  
137. I think these guys are preparing a bank tappet using this platform to spread crimeware.
138.  
139.  
140. You can contact me in:
141.  
142. Profile web: http://about.me/jheto.xekri
143. or by Email: jheto.xekri@outlook.com
144. or by Whatsapp: +573122844198
145. or by Skype: jheto.xekri