Forgot your password?
typodupeerror
Security

One Million Web Pages Attacked By Lilupophilupop 120

Posted by Unknown Lamer
from the lilliputian-record-label-marketing-gone-wrong dept.
hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."
This discussion has been archived. No new comments can be posted.

One Million Web Pages Attacked By Lilupophilupop

Comments Filter:
  • 1 million pages? (Score:5, Informative)

    by grahamsaa (1287732) on Wednesday January 04, 2012 @12:47PM (#38586056)
    The google query in the post returns "about 288,000" results, many of which come from the same domains. While agree that this is serious, the claim that 1M pages have been attacked (and who really cares about pages anyway -- the number of sites / domains seems far more important to me) seems exaggerated.
    • Re: (Score:3, Funny)

      by flatcat (464267)
      Unfortunately Firefox with NoScript is preventing me from enjoying this new version of Adobe.
    • by Qzukk (229616)

      The google query in the post returns "about 288,000" results

      Right now, there are 28800 pages defaced by this attack.

      Based on the ISC Diary page with it's update dated August, this has been going on for months.

    • by dww (119841)

      Google generally hides duplicate pages on a site. However if you use Advanced Search it finds "About 942,000 results", which is near enough a million, especially as some sites will have started clearing up infected pages by now.

  • hmm ... lilupophilupop.com is unreachable for me.

    • by hankwang (413283) * on Wednesday January 04, 2012 @01:09PM (#38586312) Homepage

      Strange; earlier today (when I submitted the story), they were online.

      The site redirected to this (http changed to hXXp): hXXp://plac41eadmi.rr.nu/n.php?h=1&s=sl
      which redirected to hXXp://www3.smartnetworkzgx.Kwik.To/?92ut2bc2=Xafe2G%2BXmmKsk9Hb2KuYmuPir52umJ6tpuGxZZPJZ9agmKKkpJiY

      which contained an obfuscated script that went on like this:

      var xrPke='QiqpR';if('xmFR'=='ZqpZB')aSetrA();}
      function ty6HJA7y3z10n0s(rFOaSw){var NLgXo="3845";var vJtxnk=132;var PmBBXq=[];var uqrx;var lTrQTu=0;

      But also the kwik.to website is offline now.

  • by d3ac0n (715594) on Wednesday January 04, 2012 @12:48PM (#38586064)

    Turns up lots of tiny little "backwater" sites run by small businesses. Not surprising they would get nailed, they are the most vulnerable.

    But...

    Do I see ITT Tech in there as a victim?

    Ouch!

  • by Dynamoo (527749) on Wednesday January 04, 2012 @12:54PM (#38586138) Homepage
    The malware site is hosted by Specialist Ltd in Transnistria, who are a totally black hat [dynamoo.com] operation. They can get away with it because almost nobody recognises the existence of Transnistria [wikipedia.org], so it is effectively outside the reach of international law enforcement.
    • by drinkypoo (153816)

      Great, maybe I can get them to host my website when you're no longer allowed free speech on the internet in the USA.

      • by mapkinase (958129)

        Good luck with that. This "country" leadership is Putin's lackeys.

        • by drinkypoo (153816)

          Either you believe that Russia and the USA are simply working in harmony and all conflict is a ruse, in which case there is very little hope for freedom; or you should believe that they would love to see it happen, because it would make us look like assholes.

          • by mapkinase (958129) on Wednesday January 04, 2012 @01:44PM (#38586676) Homepage Journal

            Well, if freedom for you is to be able to say bad things about USA, then you are fine. Then Brezhnev's Russia had all the freedom:

            Brezhnev meets Reagan and the latter complains that Russia does not have freedom of speech, giving an example: "In US, everybody can go in front of White House and shout: Reagan is an idiot". Brezhnev retorts: "You can do the same in Russia: you can go to Red Square and shout: Reagan is an idiot".

    • by boristdog (133725)

      Wasn't the transnister invented there?

    • Wow... read the wikipedia article on that place. Total backwater, no one knows about this "country". They still use old soviet socialist emblems on all their buildings and stationary. That's wierd in itself, but it just part of how out of the way this place is.
    • I'm pretty sure that people recognize the existence of the cities and people there, just not their autonomy. That would mean that the area is officially recognized as part of Moldova, and it would be up to the authorities in Moldova to put a stop to it. If they can't, then maybe they don't have control over the area, and if the local government can, then maybe they deserve official autonomy. Either way, the criminals aren't out of reach.

      • by ChatHuant (801522)

        That would mean that the area is officially recognized as part of Moldova, and it would be up to the authorities in Moldova to put a stop to it.

        The options of the Moldovan leadership are limited, because of Russian interference (as it is so often in this general area). It's not a case of Transnistria deserving official autonomy as much as a case of Russia imposing their will by military force and running roughshod over the rights of other countries, and over their own legal commitments. Transnistria is only recognized as a state by a few other fly-by-night former Soviet teritorries, such as Abkhazia, but Russia has opened a consulate there, and is

  • Getting '503 Service Unavailable' when I try and wget the relevant URL. The slashdot effect for good!

  • https://www.google.com/search?q=%22script+src=%22http://lilupophilupop.com/sl.php%22 [google.com] shows only 286,000 results. Where did 1 million come from?
    • by drpimp (900837)
      Not to mention I didn't know you could actually search the DOM. I suspect these are the sites that html encode content from the DB so the actual script tag was rendered?
  • by Synerg1y (2169962) on Wednesday January 04, 2012 @01:27PM (#38586536)

    I'm wondering...

    classic asp + mssql combos aren't that common? It's usually iis (asp.net) + mssql or asp + mysql. Coldfusion isn't that large either.

    As other people have said not even close to 1 million sites, point being there's probably not a million sites that run these combos.

  • by maple_shaft (1046302) on Wednesday January 04, 2012 @02:46PM (#38587400)
    ... Oh man I was worried for second! I thought the summary claimed that the javascript redirected you to download Adobe Flash. I was relieved to find out that it was a fake Adobe Flash download. Far less dangerous.
  • The mechanics of their design and execution make for interesting reading. Injecting a bunch of hex that then is decoded by a second script. I can't help but repect it.
    • by Bill Dog (726542)

      If I'm understanding it correctly, it relies on both of the two following things being true of a given web site (besides it using an MS SQL Server backend (or maybe it also works on Sybase database product(s) which also use the T-SQL language and might still have the involved system tables in common)):
      1) SQL commands constructed via string concatenation including web form text field values, and
      2) No sanitization of data coming out of the database before inserting into the HTML.

  • I actually had to look up .nu, as I've never encountered it before.

    From AegisLab Security blog in regards to this attack:

    "The detailed attacking paths are as follows:

    [script] hxxp://lilupophilupop.com/sl.php

    [hop] hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl

    [hop] hxxp://www3.simplerfnetwork.rr.nu

    [hop] hxxp://www1.smartscanerjkm.rr.nu

Life is difficult because it is non-linear.

Working...