Over 1 million websites compromised with massive SQL injection attack
In the first days of December researchers from the Internet Storm Center discovered a relatively limited SQL attack – some 80 affected websites that were redirecting visitors of legitimate websites to malicious ones that were showing fake AV and fake Adobe Flash sollutions. Now, only a month later, the number of infected pages are over one million and became officially large enough for giving the alarm again.
The attack was named “Lilupophilupop” by the researchers after the domain the victims are taken. The offending string is typically introduced into several tables, and sites running ASP or ColdFusion with an MSSQL backend are mostly taken into count.
In the first days, the attack seemed completely automated and was growing rapidly, but researcher Mark Hofman tells that it now looks to be partially automated and in the same time, manual. “The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period,” heĀ said.
The hackersfirst probed systems for vulnerable pages and tried to see which product ware being used. This went on for a couple of weeks, and from a variety of IP addresses, and once a vulnerable page has been found, the script was inserted.
“If you want to find out if you have a problem just search for:
in Google and use the site: parameter to hone in on your domain,” heĀ advises, and warns that identifying the entry page is crucial for cleaning the site. “If you restore your DB and bring the system back online without identifying the entry point, then it will only be a matter of time before the system is re-compromised. When looking at fixing the problem do not forget that this vulnerability is a coding issue. You may need to make application changes.”
Related posts: