When web sites go bad: bible . org compromise
Last Updated: 2013-02-22 16:17:28 UTC
by Johannes Ullrich (Version: 1)
NOTE: The site is STILL compromissed right now. DO NOT VISIT.
This is more of an "awareness" item to show to coworkers and relatives that you can't be careful enough. "bible . org" is a site that offers as the name implies access to the bible and related commentary as well as translations. Sadly, earlier this week the site go appearantly compromissed. The owner was notified, but didn't have the means or skills to clean the site so far.
The exploit inserts an iframe with changing URL following the pattern http://[random string].ddns.name/b6noxa1/counter.php?fid=2 (the domains I saw have been reported to changeip.com ).
The wepawet analysis  shows that at least one Adobe PDF vulnerability is being exploited, luckily an older one (CVE-2010-0188), but there is an additional PDF that webawet didn't analyse. It can be tricky to retrieve all components of these exploit kits from a non-vulnerable or simulated browser.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
bible.org all negative results:
HTML source on Pastebin as of 7pm CST 2/23 on IE10 Win7: http://pastebin.com/qEGSpuhU
I see nothing referencing counter, ddns, and only normal JS mentions of .name (not associated with a TLD)
Feb 24th 2013
1 decade ago