See: https://www.virustotal.com/en/ip-address/91.213.203.142/information/
Site DNS nameservers do not resolve on the moment.
Looking for urlquery dot net won’t resolve, seems down, but the IP is not resolving
I get this in WebBug: 11004 [11004] Valid name, no data record (check DNS setup)
For http://91.213.203.142/index.php I get

HTTP/1.1 200 OK Date: Sat, 19 Oct 2013 21:08:50 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.6-1ubuntu1.1 Set-Cookie: PHPSESSID=fk5uqtinff0714jvut0i5ppp10; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html

Probably server problems there: http://jsunpack.jeek.org/?report=f5584723bc86f20409b255466aa0f224d194ffe1

404 Not Found

Not Found

The requested URL /javascript/undefined was not found on this server.

---

Apache/2.2.22 (Ubuntu) Server at 91.213.203.142 Port 80

Or was this the likely scenario? http://blog.spiderlabs.com/2013/08/setting-honeytraps-with-modsecurity-adding-fake-robotstxt-disallow-entries.html link article author = Trustwave's Rishi Narang |

polonus

Server is still having problems, also see this VT report: https://www.virustotal.com/en/ip-address/91.213.203.142/information/ but these are probably FP’s - only detections are from SecureBrain and ParetoLogic and the latter is a questionable scanner as far as I am aware, but here are reports for an infection with html-Framer and I do not know if these have been cleansed: http://www.scumware.org/report/urlquery.net and the day before that there was HTML/TwitScroll.B detected. Unknown html reported yesterday: http://lists.clean-mx.com/pipermail/viruswatch/20130219/044840.html
Up(nil): unknown_html RIPE NO 91.213.203.142 to 91.213.203.142 91.213.203.142 htxp://91.213.203.142/
And Comodo’s flag: https://www.virustotal.com/en/url/085d11db1bf623d0f515fb7eae34c46cc44c46a7d368768c5fa3a6af7f983e41/analysis/
but now again given clean: http://app.webinspector.com/public/reports/17953886
Furthermore consider this info: http://myip.ms/info/search/1/stxt/urlquery.net/k/2750788673/urlquery_net.html

polonus

urlquery.net is actually not reachable.

URLQuery is down: http://www.downforeveryoneorjustme.com/urlquery.net

Its also detected by Paretoogic and Quettra: https://www.virustotal.com/de/url/085d11db1bf623d0f515fb7eae34c46cc44c46a7d368768c5fa3a6af7f983e41/analysis/

Active Malware detected by AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/urlquery.net/
Theres a linked website which is also infected: http://www.avgthreatlabs.com/website-safety-reports/domain/meshelle.net/

Hi scanning folks,

The scan site is still offline and only available via: htxp://91.213.203.142/
but cannot be used as the avast! Web Shield alerts on [quote}/…report.php?id=7014494|(gzip) as infested with HTML:Ifame-ZZ[Trj]
[/quote]
What apparently happened there?
Someone tried to log on with superuser rights and exploited /usr/bin/lft: Option ‘-T’ is not implemented in this wrapper
/usr/bin/lft: Option ‘-E’ is not implemented in this wrapper.
This to obtain DEBUG output created by Wget 1.12 on linux-gnu there.

Just because of the excessive response info from that server for:
System Details:
Running on: Apache/2.2.22
System info: (Ubuntu)
Powered by: PHP/5.4.6-1ubuntu1.1I
Furthermore…

It was discovered that PHP did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

References CVE-2013-4248

The website status now:

The Quttera scanner flags

/report.php?id=5918947
Severity: Suspicious
Reason: Detected encoded JavaScript code commonly used to hide suspicious behaviour.
Details: Malicious obfuscated JavaScript threat (failure: nonnumeric por)
Offset: 19350
Threat dump: see: http://jsunpack.jeek.org/?report=888941bf0e286929cd84b071151c2073a4b03c6c (view thesejsunpack results)
File size[byte]: 147666
File type: ASCII
MD5: CC073E10DD540A66A3A61EC487C81937
Scan duration[sec]: 0.487000 my remark in italics, pol

While reported as dead here: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=91.213.203.%

[i]On quite another line:

I grossly miss the urlquery dot net scanner,
because it presents IDS alert results from Suricata’s and EmergingThreats,
and in this respect is rather unique and these IDS results are/were very helpful.

Is there another online scanner that comes up with such similar IDS threat alerts when uri scanning?[/i]

Damian

Back up again and running

pol

Finally.