bam.nr-data.net

[Lotan]

while browsing tumblr i noticed that this site was listen in privacy badger so i searched it up with not alot of info so i decided to clock it, but privacy badger wont block it so i inspected the page i was on and it was a jscript so i ran it through virustotal https://virustotal.com/en/url/ab226619c4267420eb5befa2defcbab12cef610eedf007bb52805b295e5405d9/analysis/1471208396/

the downloaded file is a GIF thats 1x1 and has a negative vote. Im wondering if this is safe.

[Lotan]

ok just did alot more digging and bam.nr-data.net is owned by New Relic which is an American software analytics company so maybe tumblr has recently started using it and i may have over reacted on my part with it been new and privacy badger not blocking it.

[Pondus]

the downloaded file is a GIF thats 1x1 and has a negative vote. Im wondering if this is safe.

In your VT link click on > Go to downloaded file analysis > then click on > Analysis date:   2016-08-04 09:26:53 UTC ( 1 week, 3 days ago ) View latest

[Lotan]

so its harmless then?

[Pondus]

so its harmless then?

According to all engines at VT yes

First submission 2015-10-29 06:36:20 UTC ( 9 months, 2 weeks ago )

So i would conclude with safe

[Lotan]

so ive been seeing this newrelic.com thing show up on a couple of other sites too thankfully i got it blocked by privacy badger
https://virustotal.com/en/url/61d37b982fcfc3a894dc42ba3f2c3b21fe7e1a6f86812f6b5b29bea704a9d462/analysis/1471468831/
this is the latest one ive run into.
its not something on my pc as its also on my laptop which i rarely use

[polonus]

Update The links to this are still very active to-day, I detected it in the source code of surveymonkey...

https://urlscan.io/result/bfcca1fe-0e11-407d-a3b6-e9d231ae0fcf/dom/

Where I came accross this to better be blocked link:

Blocked for me by uMatrix: -https://bam.nr-data.net/1/750e9545e9?a=56423819&v=1039.bef6007&to=blABZhZZVkdUBhdbXVcaJUcKW0xdWgtMQktLVA5bABZKW0ARBkAIa1oWRgFKFmtqBgJeXmZq&rst=4312&ref=https://de.surveymonkey.com/&qt=2&ap=30&be=2758&fe=4270&dc=2929&af=err,xhr,stn,ins&perf=%7B%22timing%22:%7B%22of%22:1498237922978,%22n%22:0,%22f%22:1781,%22dn%22:1781,%22dne%22:1782,%22c%22:1782,%22s%22:1945,%22ce%22:2278,%22rq%22:2278,%22rp%22:2751,%22rpe%22:2752,%22dl%22:2752,%22di%22:2928,%22ds%22:2929,%22de%22:2957,%22dc%22:4270,%22l%22:4270,%22le%22:4276%7D,%22navigation%22:%7B%7D%7D&jsonp=NREUM.setToken

Good to have it blocked as "new relic" malcode, it is indirectly connected to cybercriminals.

Additional vulnerabilities: https://zonemaster.se/test/94725fa4fdaf1ebd  -> http://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fde.surveymonkey.com%2F
Excessive nameserver version proliferation for this exploitable particular BIND 9 version, read:
https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html 
(open since 2011 - Final matrix update 2011-09-09)

polonus (volunteer website security analyst and website error-hunter)