FYI...
-
http://blog.sucuri.n...hp-updates.htmlApril 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
*
http://sitecheck.sucuri.net/scanner/___
Update on LizaMoon mass-injection...
-
http://community.web...-injection.aspx31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than
500,000 URLs have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over
1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as
it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a
redirect to a rogue AV site..."
(Screenshots and more detail at the Websense URL above.)-
http://isc.sans.edu/...l?storyid=10642Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to
redirect victims to a rogue AV site that tells the user they are infected. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php".
It appears this is only affecting sites using Microsoft SQL Server 2003/2005. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for
sudden appearance of files in their httpdocs directory..."
-
http://isc.sans.edu/...g=sql injection-
http://www.theregist...jection_attack/"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as
among the most widespread mass-injection attacks on record..."
-
http://blog.trendmic...still-on-going/March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a
malicious script that triggers redirects to certain URLs that
lead to malware such as FAKEAV... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."
-
http://ddanchev.blog...ion-attack.htmlMarch 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."
(More detail at the ddanchev.blogspot URL above.)-
http://www.virustota...e95c-1301586582File name:
freesystemscan.exeSubmission date: 2011-03-31 15:49:42 (UTC)
Current status: finished
Result:
9/41 (22.0%)There is a more up-to-date report...-
http://www.virustota...e95c-1301722562File name:
a.exeSubmission date:
2011-04-02 05:36:02 (UTC)
Result:
24/42 (57.1%)___
Lizamoon SQL Injection: 7 Months Old and Counting
-
http://blog.scansafe...d-counting.htmlApril 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."
-
http://nakedsecurity...-sql-injection/April 1, 2011
Edited by AplusWebMaster, 04 April 2011 - 09:41 AM.
