• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

28,000 URLs whacked...

3 posts in this topic



SQL mass injection hits over 28,000 URLs including iTunes

- http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx

29 Mar 2011 - "Websense... has identified a new malicious mass-injection campaign that we call LizaMoon... The LizaMoon mass-injection is a SQL injection attack...

< script src=hxxp ://lizamoon .com/ur.php></script >

According to a Google Search, over 28,000 URLs have been compromised. This includes several iTunes URLs... The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple. The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site:

hxxp ://defender-uqko .in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet. The domain lizamoon .com was registered three days ago with clearly fake information... We'll keep monitoring this mass-injection attack and provide updated information as it's available."

(Screenshots and more detail available at the Websense URL above.)



urgent block: lizamoon .com and defender-uqko .in

- http://www.malwaredomains.com/wordpress/?p=1728

March 30th, 2011 - "Websense... is reporting a mass sql injection attack of over 28000 sites... We’ll be adding this site (and defender-uqko .in) on tonight’s update, but you shouldn’t wait... add these sites to your blocklists ASAP."



Edited by AplusWebMaster

Share this post

Link to post
Share on other sites



380,000 226,000 28000 URLs whacked...

- http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx

2011-03-31 01:58

"UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.

UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon .com."


:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post

Link to post
Share on other sites



- http://blog.sucuri.net/2011/04/lizamoon-mass-sql-injection-ur-php-updates.html

April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."

* http://sitecheck.sucuri.net/scanner/



Update on LizaMoon mass-injection...

- http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a redirect to a rogue AV site..."

(Screenshots and more detail at the Websense URL above.)


- http://isc.sans.edu/diary.html?storyid=10642

Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to redirect victims to a rogue AV site that tells the user they are infected. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php". It appears this is only affecting sites using Microsoft SQL Server 2003/2005. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory..."

- http://isc.sans.edu/tag.html?tag=sql%20injection


- http://www.theregister.co.uk/2011/03/31/lizamoon_mass_injection_attack/

"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record..."


- http://blog.trendmicro.com/lizamoon-etc-sql-injection-attack-still-on-going/

March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."


- http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.html

March 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."

(More detail at the ddanchev.blogspot URL above.)

- http://www.virustotal.com/file-scan/report.html?id=cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c-1301586582

File name: freesystemscan.exe

Submission date: 2011-03-31 15:49:42 (UTC)

Current status: finished

Result: 9/41 (22.0%)

There is a more up-to-date report...

- http://www.virustotal.com/file-scan/report.html?id=cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c-1301722562

File name: a.exe

Submission date: 2011-04-02 05:36:02 (UTC)

Result: 24/42 (57.1%)



Lizamoon SQL Injection: 7 Months Old and Counting

- http://blog.scansafe.com/journal/2011/4/1/lizamoon-sql-injection-7-months-old-and-counting.html

April 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."


- http://nakedsecurity.sophos.com/2011/04/01/lizamoon-sql-injection/

April 1, 2011



Edited by AplusWebMaster

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0