User monitoring on site. Is this benign?

See: http://urlquery.net/report.php?id=144767
Flagged unknown_html malcode
Found in javascript: ^^ var NREUMQ≈ NREUMQ||;^^NREUMQ.push ^^
See desription: https://newrelic.com/docs/features/how-does-real-user-monitoring-work (link source info New Relic)
Time for scanning it here: http://www.cookiechecker.nl/check-cookies.php?url=http://blogher.org/&cache=false
40 third party reguests and 14 third party cookies

Name Target Source Key Value Domain Valid until

1 NetRatings SiteCensus Analytics htxp://secure-us.imrworldwi… V5 AStfNy0RfTg6Wig1CSojIy… .imrworldwide.com 24-08-2014
2 NetRatings SiteCensus Analytics htxp://secure-us.imrworldwi… IMRID UDe5WX8AAAEAAERXLHg .imrworldwide.com 24-08-2014
3 Quantcast Ad hxtp://pixel.quantserve.com… mc 5037b959-8cb8a-8d12f-f… .quantserve.com 23-02-2014
4 - ? htxp://widgets.blogher.com/… __utma 5111221.1167917883.134… widgets.blogher.com 24-08-2014
5 - ? htxp://widgets.blogher.com/… __utmb 5111221.22.5.134582895… widgets.blogher.com 24-08-2012
6 - ? htxp://widgets.blogher.com/… __utmc 5111221 widgets.blogher.com
7 - ? htxp://widgets.blogher.com/… __utmz 5111221.1345828944.1.1… widgets.blogher.com 23-02-2013
8 VoiceFive Tracker htxp://ar.voicefive.com/bmx… BMX_3PC 1 .voicefive.com
9 Lotame Ad htxp://bcp.crwdcntrl.net/5/… dc 1 .crwdcntrl.net
10 - ? htxp://oascentral.blogher.o… OAX Nve5pFA3uWYAC5Zk .blogher.org 24-08-2014
11 - ? htxp://oascentral.blogher.o… NSC_d15efm_f_qppm_iuuq ffffffff09419e4745525d… oascentral.blogher.org
12 Lotame Ad htxp://bcp.crwdcntrl.net/5/… aud "ABR4nGNgYGAIMN%2BZzsD… .crwdcntrl.net 21-05-2013
13 Lotame Ad htxp://bcp.crwdcntrl.net/5/… OAID af028ceb842f4f5ea4026f… .crwdcntrl.net 21-05-2013
14 Lotame Ad htxp://bcp.crwdcntrl.net/5/… cc "ACN4nF2UT0iTcRjHf6%2B… .crwdcntrl.net 21-05-2013

See: http://www.mywot.com/en/scorecard/lotame.com?utm_source=addon&utm_content=popup-donuts

polonus

It is also good that we can see Third Party Requests actually without havind to visit the website…
And we get

Name Target URL

1 Google Analytics Analytics htxp://www.google-analytics.com/ga.js
2 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
3 Google +1 Widget hxtps://apis.google.com/js/plusone.js
4 - ? hxtps://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
5 - ? htxps://apis.google.com//apps-static//js/gapi/plusone/r…
6 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
7 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
8 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
9 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
10 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
11 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
12 - ? htxps://plusone.google.com//+1/fastbutton?bsv=pr&url=htt…
13 - ? htxps://plusone.google.com/
/apps-static//js/gapi/google…
14 - ? htxps://plusone.google.com/
/apps-static//js/plusone/p1b…
15 Google +1 Widget hxtps://apis.google.com/js/plusone.js
16 Google Analytics Analytics hxtp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
17 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
18 Google Analytics Analytics hxtp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
19 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
20 - ? htxps://plusone.google.com/
/+1/fastbutton?bsv=pr&url=htt…
21 Google +1 Widget htxps://apis.google.com/js/plusone.js
22 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
23 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
24 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
25 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
26 - ? htxps://plusone.google.com//+1/fastbutton?bsv=pr&url=htt…
27 Google +1 Widget htxps://apis.google.com/js/plusone.js
28 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
29 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
30 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
31 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
32 - ? htxps://plusone.google.com/
/+1/fastbutton?bsv=pr&url=htt…
33 Google +1 Widget htxps://apis.google.com/js/plusone.js
34 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
35 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
36 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
37 Google Analytics Analytics htxp://www.google-analytics.com/__utm.gif?utmwv=5.3.5&utm…
38 - ? htxps://plusone.google.com/_/+1/fastbutton?bsv=pr&url=htt…
39 Legolas Media Tracker htxp://rt.legolas-media.com/lgrt?ci=2&ti=22100&pbi=10963
Bad web rep: http://www.mywot.com/en/scorecard/rt.legolas-media.com?utm_source=addon&utm_content=popup-donuts
40 - ? htxp://static.ak.fbcdn.net/connect.php/js/FB.Share
Phishing site: http://community.norton.com/t5/Norton-Internet-Security-Norton/http-static-ak-fbcdn-net-phishing-site-causes-note-pad-pop-ups/td-p/392976
41 Dynamic Logic Tracker htxp://content.dl-rms.com/rms/mother/16146/nodetag.js
Bad Wep Rep: http://www.mywot.com/en/scorecard/content.dl-rms.com?utm_source=addon&utm_content=warn-viewsc
42 Dynamic Logic Tracker htxp://content.dl-rms.com/rms/21993/nodetag.js
43 Peer39 Tracker htxp://stags.peer39.net/1321/trg_1321.js
Not safe: http://checkwebsitesafe.com/site/stags.peer39.net
44 - ? htxp://catrg.peer39.net/31/481/9614905311321?aid=01321&si…
45 New Relic Analytics htxps://d1ros97qkrwjf5.cloudfront.net/41/eum/rum.js
46 ChartBeat Analytics htxp://static.chartbeat.com/js/chartbeat.js
see: http://www.mywot.com/en/scorecard/static.chartbeat.com?utm_source=addon&utm_content=warn-viewsc
47 Dynamic Logic Tracker htxp://content.dl-rms.com/dt/s/21627/s.js
48 Dynamic Logic Tracker htxp://content.dl-rms.com/dt/s/21993/s.js

polonus

Hi forum friends,

This is completely different from what I get here: http://www.webutation.net/go/review/blogher.com?req=chrome
and here on BrightCloud:
Category Reputation Index Status
News and Media
Society
Personal sites and Blogs
Request a new URL category
green 96
Request URL Reputation change
Infections (past 12 months) No
Popularity High
Age 52 months (Established)

How did they hide all that dubious 3rd party tracking to be found up? Like Legolas and peer.39
(blocked by the Open DNS block tool)?
Are there things going on in the background that Abine, Diconnect etc miss?

polonus

Here we again have a site with unknown html issues, but there are no cookies and no third party requests found.
There are no iFrames detected either, but later on in the website analysis we stumble upon Sp00nscape redirecting malware…

No zeroiframes detected!
Check took 2.23 seconds

(Level: 0) Url checked:
htxp://www.bkab.nu/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.bkab.nu/wp-includes/js/comment-reply.js?ver=3.4.1
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.bkab.nu/wp-includes/js/jquery/jquery.js?ver=1.7.2
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.bkab.nu/wp-content/themes/arclite.1.5/arclite/js/arclite.js?ver=3.4.1
Zeroiframes detected on this site: 0
No ad codes identified
MacAfee siteadvisor flags it: http://www.siteadvisor.com/sites/bkab.nu

There is a redirection to htxp://compressorvolution.pro/Description?8
Here I get a 404 Not Found and IP 5.153.238.12
This is similar malware as http://labs.sucuri.net/?details=rangedunderstanding.pro same IP
and redirecting malware (so-called sp00nscape - pass= sp00n ip= 5.153.238.12)

Site should be blocked and has now been reported to virus AT avast dot com…

polonus

Hi Polonus,

I get:


Header returned by request for: http://www.bkab.nu/

HTTP/1.1 301 Moved Permanently 
Date: Fri, 24 Aug 2012 22:04:35 GMT 
Server: Apache/2.2.8 (Linux/SUSE) 
Location: http://compressorvolution.pro/Description?8 
Content-Length: 331 
Content-Type: text/html; charset=iso-8859-1 

The location line in the header above has redirected the request to: http://compressorvolution.pro/Description?8



HTTP/1.1 302 Found 
Server: nginx 
Date: Fri, 24 Aug 2012 23:55:28 GMT 
Content-Type: text/html 
Connection: keep-alive 
Set-Cookie: bzurh8=_0_; domain=compressorvolution.pro; path=/; expires=Sat, 25-Aug-2012 23:55:28 GMT 
Location: http://www.google.com/ 
Vary: Accept-Encoding,User-Agent 
Content-Encoding: gzip 
Content-Length: 155 

The location line in the header above has redirected the request to: http://www.google.com/



HTTP/1.1 200 OK 
Date: Fri, 24 Aug 2012 22:04:35 GMT 
Expires: -1 
Cache-Control: private, max-age=0 
Content-Type: text/html; charset=UTF-8 
Set-Cookie: foo=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=www.google.com 
Set-Cookie: foo=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.www.google.com 
Set-Cookie: foo=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=google.com 
Set-Cookie: foo=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=.google.com 
Set-Cookie: PREF=ID=bfa71c50d5c07f20:FF=0:TM=1345845875:LM=1345845875:S=glks5CVfAs7JMzho; expires=Sun, 24-Aug-2014 22:04:35 GMT; path=/; domain=.google.com 
Set-Cookie: NID=63=gZxRFnZv7lZXXm2uRowHHSO_pW2az8kvVr832xMz7sUXpJDarV5OHc1filowMpKlwYHm_MGs8xNGjg99UEksNx4yyM3KwxmR-TyxnZ5e8YFAhxHYBpOWtbKXfkvmZVt4; expires=Sat, 23-Feb-2013 22:04:35 GMT; path=/; domain=.google.com; HttpOnly 
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." 
Content-Encoding: gzip 
Server: gws 
Content-Length: 29654 
X-XSS-Protection: 1; mode=block 
X-Frame-Options: SAMEORIGIN 

But I get a different return with Quttera and urlQuery:
http://www.quttera.com/detailed_report/www.bkab.nu
http://urlquery.net/report.php?id=145059

So we can suspect it has to do with the htaccess,
~!Donovan

Using the post request:


POST /Description?8 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: compressorvolution.pro
Accept: */*
Connection: close
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7
Accept-Language: en-gb,en;q=0.5
Cache-Control: no-cache
Referer: http://www.google.com/url?sa=t&source=web&q=string&cd=6&sqi=2&rct=j

HTTP/1.1 411 Length Required
Server: nginx
Date: Sat, 25 Aug 2012 00:04:44 GMT
Content-Type: text/html
Content-Length: 534
Connection: close

An explanation of the 411 Error: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.12

~!Donovan

Hi !Donovan,

Well that has been asserted then, “sp00nscape” has been detected!
But what is there with this SETINNER HTML I mean what is that supposed to do?

I mean what is that supposed to do? That is some test script and comes with jquery bug-code. Not again malvertising through jquery, uh? You already alerted us to various incidents of jquery malcode injection here. So site is at least fraudulent, it is all about scoring (il)legit clicks, I guess,

polonus

Hi !Donovan,

Tthe location header of the site is now redirecting to again another domain generated, here it is; htxp://braviaguaranteeing.pro/Description?8
nothing detected] braviaguaranteeing dot pro/Description?8
status: (referer=htxp:/twitter.com/trends/)saved 4915 bytes 7f6bec094f3258b15fe2b17e433b65c7aa7e968f
info: [img] braviaguaranteeing dot pro/intl/ALL/images/srpr/logo1w.png
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <meta content="Search the world’s information, including webpages, images, videos and more. Google has
error: line:3: …^
What is generating these domains, a look up on google fails, because on the website the location line in the header above has redirected the request to: htxp://www.google.com

polonus

Hi !Donovan,

The IP resolves to ip= 5.153.238.12. posing as a server, 5.153.238.12. domain is not supported
Not registerd for AS57858 FiberGrid Fiber Grid OU
AS Name: FIBERGRID Fiber Grid OU
IPs allocated: 26624
Blacklisted URLs: 0

Hosts…
…malicious URLs? No
…badware? No
…botnet C&C servers? No
…exploit servers? No
…Zeus botnet servers? No
…Current Events? Yes
…phishing servers? No
It is invalid input used for malware, and normally not allowed…
Notice: geoip_record_by_name(): Host 5.153.238.12 not found in _ip_load_main() (line 235 of /home/alex/data/www/ipadresa.net/html/sites/all/modules/custom/ip_node/ip_node.module),

polonus

I see it resolve to a VPN network in Estonia ?

And also same VPN network but Sweden ?

Hi DavidR,

There is something fishy with htxp://www.bkab.nu/
Opening with file viewer I get: Location: htxp://serviceavisualizations.pro/hydrodance?8 (all I got ended in pro/hydrodance?8)
and then Moved Permanently and then: The document has moved “htxp://serviceavisualizations.pro/hydrodance?8”
HEAD /hydrodance?8 HTTP/1.0
Accept: /
User-Agent: WebBug/5.0
Received data:
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 25 Aug 2012 15:05:55 GMT
Content-Type: text/html
Connection: close
Last-Modified: Wed, 14 Sep 2011 20:07:29 GMT
Accept-Ranges: bytes
Content-Length: 465
Vary: Accept-Encoding,User-Agent
Host serviceavisualizations.pro
IP 5.153.238.13 (yesterday another domain name from 5.153.238.12)

Site should be blocked, reported to virus AT avast dot com

polonus