April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
___Update on LizaMoon mass-injection
31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs
have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs
that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site
, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a redirect to a rogue AV site
..."(Screenshots and more detail at the Websense URL above.)
Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to redirect victims to a rogue AV site that tells the user they are infected
. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php". It appears this is only affecting sites using Microsoft SQL Server 2003/2005
. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory
- http://isc.sans.edu/...g=sql injection
"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record
March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script
that triggers redirects to certain URLs that lead to malware such as FAKEAV
... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."
March 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."(More detail at the ddanchev.blogspot URL above.)
File name: freesystemscan.exe
Submission date: 2011-03-31 15:49:42 (UTC)
Current status: finished
Result: 9/41 (22.0%)There is a more up-to-date report...
File name: a.exe
Submission date: 2011-04-02
Result: 24/42 (57.1%)
Lizamoon SQL Injection: 7 Months Old and Counting
April 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."
April 1, 2011
Edited by AplusWebMaster, 04 April 2011 - 08:41 AM.