Jump to content


Photo

28,000 URLs whacked...


  • Please log in to reply
2 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,212 posts

Posted 29 March 2011 - 06:26 PM

FYI...

SQL mass injection hits over 28,000 URLs including iTunes
- http://community.web...ing-itunes.aspx
29 Mar 2011 - "Websense... has identified a new malicious mass-injection campaign that we call LizaMoon... The LizaMoon mass-injection is a SQL injection attack...
< script src=hxxp ://lizamoon .com/ur.php></script >
According to a Google Search, over 28,000 URLs have been compromised. This includes several iTunes URLs... The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple. The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site:
hxxp ://defender-uqko .in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet. The domain lizamoon .com was registered three days ago with clearly fake information... We'll keep monitoring this mass-injection attack and provide updated information as it's available."
(Screenshots and more detail available at the Websense URL above.)
___

urgent block: lizamoon .com and defender-uqko .in
- http://www.malwaredo...rdpress/?p=1728
March 30th, 2011 - "Websense... is reporting a mass sql injection attack of over 28000 sites... We’ll be adding this site (and defender-uqko .in) on tonight’s update, but you shouldn’t wait... add these sites to your blocklists ASAP."

:grrr: :ph34r: :grrr:

Edited by AplusWebMaster, 30 March 2011 - 03:15 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,212 posts

Posted 31 March 2011 - 05:20 AM

FYI...

380,000 226,000 28000 URLs whacked...
- http://community.web...ing-itunes.aspx
2011-03-31 01:58
"UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon .com."

:ph34r: :ph34r:

Edited by AplusWebMaster, 31 March 2011 - 06:37 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,212 posts

Posted 01 April 2011 - 05:15 AM

FYI...

- http://blog.sucuri.n...hp-updates.html
April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
* http://sitecheck.sucuri.net/scanner/
___

Update on LizaMoon mass-injection...
- http://community.web...-injection.aspx
31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a redirect to a rogue AV site..."
(Screenshots and more detail at the Websense URL above.)

- http://isc.sans.edu/...l?storyid=10642
Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to redirect victims to a rogue AV site that tells the user they are infected. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php". It appears this is only affecting sites using Microsoft SQL Server 2003/2005. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory..."
- http://isc.sans.edu/...g=sql injection

- http://www.theregist...jection_attack/
"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record..."

- http://blog.trendmic...still-on-going/
March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."

- http://ddanchev.blog...ion-attack.html
March 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."
(More detail at the ddanchev.blogspot URL above.)
- http://www.virustota...e95c-1301586582
File name: freesystemscan.exe
Submission date: 2011-03-31 15:49:42 (UTC)
Current status: finished
Result: 9/41 (22.0%)
There is a more up-to-date report...
- http://www.virustota...e95c-1301722562
File name: a.exe
Submission date: 2011-04-02 05:36:02 (UTC)
Result: 24/42 (57.1%)
___

Lizamoon SQL Injection: 7 Months Old and Counting
- http://blog.scansafe...d-counting.html
April 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."

- http://nakedsecurity...-sql-injection/
April 1, 2011

:grrr: :ph34r:

Edited by AplusWebMaster, 04 April 2011 - 09:41 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button