Today I was using an iPhone 5 and I accidentally clicked enter when i was trying to backspace. I ended up going to qqw.com by accident. Can anyone with experience tell me if I will be effected in anyway even if its on an iPhone? And is this site safe? I am on the iPhone because I don’t have a computer near me to try scanning the site.
cant find anything negative on that url…
and as far as i know, the only iPhones that have been infected are jailbracked iphones
As far as I can establish all the malware from that IP has been closed or is dead now.
Also see: http://zulu.zscaler.com/submission/show/5017d7efa67cd3f3146c5d45336081df-1356385417
But their is a tracking redirect hidden iFrame to /return.bs.domainnamesales dot com
Web rep four times yellow: http://www.mywot.com/en/scorecard/return.bs.domainnamesales.com?utm_source=addon&utm_content=popup-donuts
IP could be related to PHISHING…But site is insecure, as PHP version the site runs is vulnerable to certain attacks,
see: http://www.unixnews.net/2012/09/usn-1569-1-php-vulnerabilities.html
(link sourced = Unix News php5 vulnerabilities)
polonus
Ok so is the iPhone safe polonus? Just to add some more info: i had cookies enabled for visited and javascript disabled. I will be able to safely connect it to my computer? Thanks for the quick answers!
Also will the tracking redirect iframe thst you mention do anything? It wont track what i do on the iphone right? you say the malware has been closed or is dead. What about the iframe and what does it mean when a malware is “dead”
TuckerX,
With javascript disabled not much that can happen to you there. As long as you do not install anything from untrusted sources, you are secure on the iPhone. Most infectious material comes from unofficial sources.
Well there are two instances of malware that forms no longer any threat. Dead and closed malware.
Dead malware is malware that is no longer infectious. The site the malware originates from is either been taken down or does no longer respond or the malware has been cleansed by the owner of the website or the hoster of that website. This does not mean that websites cannot be reinfected through server software and website software when certain vulnerabilities have not been patched or older software has not been fully updated/upgraded or server software has not been hardenened or been configured properly. There are quite some sites maintained by people that have so-called zilch knowledge of website security and these sites pose an enormous re-occuring threat to visitors. We are in a stage where more and more are getting aware of these facts and that is why it is a good thing to visit this websforum to grow more aware of this general situation,
polonus
Ok thanks for the clarification. So the iPhone is safe? There isnt anything that happened when i visited the site? The iframe doesnt effect the phone at all or my computer if i connect the phone to it?
Specifically about the tracking going on from there:
Cookies:
Name Target Key Value Domain Valid until
1 - ? uid qqw50da0818ec7fd2.9209… qqw dot com 24-01-2013
2 - ? WEB W1 qqw dot com
Third party cookies:
Name Target Key Value Domain Valid until
1 - ? htxp://return.bs.domainname… WEB W1 return.bs.domainnamesales.com
2 DoubleClick Ad htxp://googleads.g.doublecl… test_cookie CheckForPermission .doubleclick.net 25-12-2012
Third party requests:
Name Target URL
1 - ? htxp://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery…
info: [img] wXw.google.com/images/errors/sm.gif (Flash video tracking)
info: [0] no JavaScript (packing list pkg: Unable to open keyword definition(/usr/ports/Keywords/stopdaemon.yaml): No such file or directory (wrong element used) the above is not and is the actual bug…
2 - ? htxp://208.87.32.71/js/jquery.tools.custom.min.js
found JavaScript
error: undefined variable jQuery
error: undefined variable a.browser
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var a.browser = 1;
error: line:1: …^
link to: htxp://flowplayer.org/tools/ could create a bug in Facebook through CavalryLogger,
3 Google Adsense Ad htxp://pagead2.googlesyndication.com/apps/domainpark/show…
Domain can be developed into a site or monetized through parking…
All as far as I can establish benign code here…
polonus
P.S. Known vulnerabilities for the server software on this site from the Bahamas: http://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-109443/Apache-Http-Server-2.2.17.html
(1 vulnerability known in attack to gain privileges)
D
Could yoy plwase answer this?: So all that stuff that you posted is benign and it wont affect the iPhone at all? It wont track what I do on the phone? Also if it is bad, will it TRANSFER to my computer if i connect the phone to it? It wont spread by wifi network or anything right?
Also if i did have javascript enabled would it have done anything?
Hi TuckerX,
To all instances of your questions, I can say that your iPhone nor your computer or browser was at danger. At the moment you are not endangered by this site and the code on it. This is normal site and code behavior as it is seen now all over the Internet. Nothing out of the ordinary. The cookie and third party profile tracking is going on anyways, that is not malicious per se.
What is a bit questionable with this site is that the server software is vulnerable, so the site could be infected/re-infected if an attack of some sort was launched against it.
I would block such a site for reason that I do not trust a site that is hosted to both make money as a nornal site but also as some form of parked domain search site to earn on clicks. Again nothing suspicious nor malicious going on there, but you could question the ethical side of it, but that is just i.m.h.o. and others might have quite an opposite position. So as it stands now even with javascript enabled a visit of this site would not give you malware of any sort. The site’s security is questionable. Nothing out of the ordinary because every few seconds sites are being infested or abused by malcreant’s actions. Awareness and vigilance are your best friends here. Do not overreact, because using the Internet should also be fun. The plus for me is that I analyze thoroughly because of your questions. This is beneficial for us, and also for the other users that come to follow this thread here. TuckerX that is why I appreciate your questions and reactions,
polonus
Also see this [function.simplexml-load-file script code going to: htXp://return.uk.domainnamesales.com/return_js.php?d=qqw.com&s=1356535178 with //alert(‘cookie params wrong’);
polonus
What is that/what does it mean?^ As for what you said, so that means that the site is safe to visit? It wasnt infected at the time i visited? Thanks for all the help but answer these questions if you can.
I have another question. When l was scanning with urlquery a url that i was looking at. it said that it had a http transaction to wXw.bunahapewo.com. is this safe? I scanned it with url query and I didnt really understand it.
I get a “The request sent by the client was syntactically incorrect ().” and a “Unable to properly scan your site. Site returning error (40x): HTTP/1.1 400 Bad Request” What you do not understand is the Apache Tomcat/6.0.30 - Error report that is given there…
Mal configured server: http://urlquery.net/report.php?id=568265 HTTP/1.1 400 Bad Request & HTTP/1.1 404 Bad Request
Server is vulnerable to the lesser know HTTP Response Splitting attack and other vulnerabilities, like: http://www.cvedetails.com/vulnerability-list/vendor_id-45/opbyp-1/Apache.html
Nothing for the browser visitor to be seen here, but something should be done by the website admin or hoster…
polonus
Ok so this link/url is safe?(this is the url that had to transaction to the site):htXp://southjersey.craigslist.org/ctd/3503695175.html
And there is no malware or anything on the bunahapewo site currently? Just that there is a vulnerbility on that site?
I was looking at the link that a friend sent me and on that url it had random lettering when i visited.
This URL htxp://www.craigslist.org/js/html5shiv.js?v≈ ed7af45dcbda983c8455631037ebcdda resolves to an invalid IP address.
Whatever was there, is not there anymore…or was here originally: htxp://www.google.com/url?q=http://denver.craigslist.org/grp/3472520077.html&sa=U&ei=Zt3iUJyNKOb54QSt8oCoDg&ved=0CBQQFjAA&usg=AFQjCNFWv7kgv2zG20hJYxOLO3iwFA093g
We Buy Homes Now! ÒÒÒ| ÓÓÓ| ÔÔÔ| ÕÕÕ| ÖÖÖ| ×××| ØØØ| ÙÙÙ| ÚÚÚ| ÛÛÛ| ÜÜÜ| ÝÝÝ 乙襹 佑觸 栽詜 照諀 种謡 鬃讄 刎貄 儋質 谮趞 圹踻 苘軀 葺 [ad for buying Nightmare Houses for cleansing via a specific Tao method]wXw.craigslist.org/js/html5shiv.js is an iFrame fix fort a HTML5 element to force IE to a specific CSS styling... benign code dating from 2008 See: http://urlquery.net/queued.php?id=7497316
polonus
Ok so to conclude, is the site that i visited safe from any malware/anything bad, currently? It just has vulnerbilities?
And what does all this mean? Also could you answer the question above?^(you say you like to answer my questions so these should be easy/good to answer)Thanks! Edit: i should have just edited my earlier post. Sorry for double posting again.
Conclusion - nothing could have infected you, as far as I could establish,
polonus