One Million Web Pages Attacked By Lilupophilupop

hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."

1 million pages?

[grahamsaa]

The google query in the post returns "about 288,000" results, many of which come from the same domains. While agree that this is serious, the claim that 1M pages have been attacked (and who really cares about pages anyway -- the number of sites / domains seems far more important to me) seems exaggerated.

Re:

[flatcat]

Unfortunately Firefox with NoScript is preventing me from enjoying this new version of Adobe.

Re:

[Qzukk]

The google query in the post returns "about 288,000" results

Right now, there are 28800 pages defaced by this attack.

Based on the ISC Diary page with it's update dated August, this has been going on for months.

Re:

[Qzukk]

Bah. "international time" is ISO 8601. Writing the date "8/12/2011" is "intentionally confusing to everyone else time".

Re:

[dww]

Google generally hides duplicate pages on a site. However if you use Advanced Search it finds "About 942,000 results", which is near enough a million, especially as some sites will have started clearing up infected pages by now.

Resolving lilupophilupop.com... failed: Name or se

[buchner.johannes]

hmm ... lilupophilupop.com is unreachable for me.

Re:Resolving lilupophilupop.com... failed: Name or

[hankwang]

Strange; earlier today (when I submitted the story), they were online.

The site redirected to this (http changed to hXXp): hXXp://plac41eadmi.rr.nu/n.php?h=1&s=sl
which redirected to hXXp://www3.smartnetworkzgx.Kwik.To/?92ut2bc2=Xafe2G%2BXmmKsk9Hb2KuYmuPir52umJ6tpuGxZZPJZ9agmKKkpJiY

which contained an obfuscated script that went on like this:

var xrPke='QiqpR';if('xmFR'=='ZqpZB')aSetrA();}
function ty6HJA7y3z10n0s(rFOaSw){var NLgXo="3845";var vJtxnk=132;var PmBBXq=[];var uqrx;var lTrQTu=0;

But also the kwik.to website is offline now.

Re:

[hankwang]

I was using my ISP's DNS, but lilupophilupop.com doesn't resolve either when I use a DNS server of which I'm sure that it is not subscribed to any black lists.

Re:

[pclminion]

Doesn't having a million-entry host file have some drawbacks? I expect either the whole thing is cached in memory (assuming 128 bytes per cache entry that's over 128 MB to cache the thing), or the file is linearly scanned every time you resolve a hostname, slowing down every single name resolution enormously. Either of those would kind of suck.

Re:Me too (but 4 DIFF. reasons)... apk

[sexconker]

Large hosts files absolutely slow down lookups.
Furthermore, he says he uses 3 different DNS servers, so he's really just getting the security of the intersection of all 3 blacklists.
He also claims his hosts file and router prevent malware from dialing home, despite the fact that such malware often has hardcoded IPs and would never need to perform a DNS lookup.

The DNS/HOSTS troll has been around for a while, but the sad thing is it's not a copy-pasta. Each post is actually unique (though similar), so there's some moron begind the AC curtain actually typing that shit out every time. This troll is most easily identified by the formatting. it always has excessive sectioning, bolding, and use of asterisks, hyphens, and parentheticals. The end is always a "beat you over the head with it" moment. In this case it's a link to a Bing search on "how to secure" Windows XP/2000.

Basically, don't feed the trolls.

Re:

[couchslug]

APK has been "amusing" for many years, under a variety of nicks.

Google: site:arstechnica.com APK

Any psychiatrists care to chime in on the characteristic "speech patterns" in the posts?

http://www.ntcompatible.com/postprint81050.html [ntcompatible.com]

Re:

[fatphil]

Fortunately he's a loon who posts AC. If he were a morpher with a million different IDs, then it would be expensive to mark posts from all his IDs with a score penalty, but fortunately, all you need to do is mark AC down, and you get rid of all of his irrational ranting, and lots more besides.

HTH, HAND.

Re:

[mandelbr0t]

If you're willing to do this much work to avoid malware, well, go for it. Your performance gains, when compared to network latency, are probably so slight as to be imperceptible. Personally, I use AdBlock Plus and a local DNS server, and have never had issues with either malware, unwanted ads, or network performance. To each his own. If you don't want to get modded Troll, you might want to tone down on the caps and excessive bolding. You may have a legitimate technical point to make, but it gets lost in a t

Re:

[mandelbr0t]

OR the electricity for a dedicated rig for it either

Don't spend it all in one place. The dedicated rig does other useful stuff that I wouldn't want bogging down my desktop.

I've actually passed English courses in college while earning 2 degrees no less (A grades usually) - have you??

Yep. This is, after all, a "News for Nerds" site. You're not the only genius here. And the rest of us don't tend to use terms like "superior technical firepower" and go off on rants about things that represent a minute portion of IT.

I know DAMN WELL I do, & it kicks the trolls asses SO BADLY, that when I challenge them to disprove my technical points I posted on ANYTHING I POSTED?

I'm not trying to disprove your technical points; I'm saying that people aren't listening to you because of the way you present your argument. I'm happy with w

Re:

[darkpixel2k]

Between a custom HOSTS file, & using "filtering" DNS servers (that specialize in blocking out malicious script & malware serving domains + phishing/spamming ones)?

Can you please tell me how to modify my HOSTS file to block your stupid use of the bold tag? Fsck.

Google search

[d3ac0n]

Turns up lots of tiny little "backwater" sites run by small businesses. Not surprising they would get nailed, they are the most vulnerable.

But...

Do I see ITT Tech in there as a victim?

Ouch!

Not just "backwater" sites

[Kaleidoscopio]

The web site for the Portuguese Electric Company (EDP) is there. That seems a major site by my standards. I might be suspect of course, beeing Portuguese. :D

Re:

[cdrudge]

Do I see ITT Tech in there as a victim?

No, that's just part of their Information Systems and Cybersecurity [itt-tech.edu] degree program.

Hosted in.. Transnistria

[Dynamoo]

The malware site is hosted by Specialist Ltd in Transnistria, who are a totally black hat [dynamoo.com] operation. They can get away with it because almost nobody recognises the existence of Transnistria [wikipedia.org], so it is effectively outside the reach of international law enforcement.

Re:

[drinkypoo]

Great, maybe I can get them to host my website when you're no longer allowed free speech on the internet in the USA.

Re:

[mapkinase]

Good luck with that. This "country" leadership is Putin's lackeys.

Re:

[drinkypoo]

Either you believe that Russia and the USA are simply working in harmony and all conflict is a ruse, in which case there is very little hope for freedom; or you should believe that they would love to see it happen, because it would make us look like assholes.

Re:Hosted in.. Transnistria

[mapkinase]

Well, if freedom for you is to be able to say bad things about USA, then you are fine. Then Brezhnev's Russia had all the freedom:

Brezhnev meets Reagan and the latter complains that Russia does not have freedom of speech, giving an example: "In US, everybody can go in front of White House and shout: Reagan is an idiot". Brezhnev retorts: "You can do the same in Russia: you can go to Red Square and shout: Reagan is an idiot".

Re:

[boristdog]

Wasn't the transnister invented there?

Re:

[Noughmad]

Would that be the transistor that says Ni?

Re:

[idontgno]

No. That would be the ecky-ecky-ecky-ecky-ptang-zoop-boing-FET.

Re:

[interval1066]

Wow... read the wikipedia article on that place. Total backwater, no one knows about this "country". They still use old soviet socialist emblems on all their buildings and stationary. That's wierd in itself, but it just part of how out of the way this place is.

OWS : immantize the Gernsback continuum now!

[Thud457]

Who the hell put William Gibson in charge of scripting reality these days?!!!

godamn, it's real

I'd like to send this letter to the Prussian consulate in Siam by aeromail. Am I too late for the 4:30 autogyro?

time here.

Re:

[amicusNYCL]

I'm pretty sure that people recognize the existence of the cities and people there, just not their autonomy. That would mean that the area is officially recognized as part of Moldova, and it would be up to the authorities in Moldova to put a stop to it. If they can't, then maybe they don't have control over the area, and if the local government can, then maybe they deserve official autonomy. Either way, the criminals aren't out of reach.

Re:

[ChatHuant]

That would mean that the area is officially recognized as part of Moldova, and it would be up to the authorities in Moldova to put a stop to it.

The options of the Moldovan leadership are limited, because of Russian interference (as it is so often in this general area). It's not a case of Transnistria deserving official autonomy as much as a case of Russia imposing their will by military force and running roughshod over the rights of other countries, and over their own legal commitments. Transnistria is only recognized as a state by a few other fly-by-night former Soviet teritorries, such as Abkhazia, but Russia has opened a consulate there, and is

Slashdotted

[Bazman]

Getting '503 Service Unavailable' when I try and wget the relevant URL. The slashdot effect for good!

Misleading Title?

[BoRictor]

https://www.google.com/search?q=%22script+src=%22http://lilupophilupop.com/sl.php%22 [google.com] shows only 286,000 results. Where did 1 million come from?

Re:

[drpimp]

Not to mention I didn't know you could actually search the DOM. I suspect these are the sites that html encode content from the DB so the actual script tag was rendered?

Classic ASP?

[Synerg1y]

I'm wondering...

classic asp + mssql combos aren't that common? It's usually iis (asp.net) + mssql or asp + mysql. Coldfusion isn't that large either.

As other people have said not even close to 1 million sites, point being there's probably not a million sites that run these combos.

Re:

[FormOfActionBanana]

Since when does DROP TABLE make data available??

Oh noes not Adobe Flash!

[maple_shaft]

... Oh man I was worried for second! I thought the summary claimed that the javascript redirected you to download Adobe Flash. I was relieved to find out that it was a fake Adobe Flash download. Far less dangerous.

Although these attacks are evil in their intent...

[P-niiice]

The mechanics of their design and execution make for interesting reading. Injecting a bunch of hex that then is decoded by a second script. I can't help but repect it.

Re:

[Bill Dog]

If I'm understanding it correctly, it relies on both of the two following things being true of a given web site (besides it using an MS SQL Server backend (or maybe it also works on Sybase database product(s) which also use the T-SQL language and might still have the involved system tables in common)):
1) SQL commands constructed via string concatenation including web form text field values, and
2) No sanitization of data coming out of the database before inserting into the HTML.

I actually had to look up .nu...

[Anachragnome]

I actually had to look up .nu, as I've never encountered it before.

From AegisLab Security blog in regards to this attack:

"The detailed attacking paths are as follows:

[script] hxxp://lilupophilupop.com/sl.php

[hop] hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl

[hop] hxxp://www3.simplerfnetwork.rr.nu

[hop] hxxp://www1.smartscanerjkm.rr.nu

Re:

[Inquisitus]

So I guess you've never made a typo before in your life?

Re:

[ElmoGonzo]

My guess is that the T.B'er simply has no life.

Re:

[pclminion]

So I guess you've never made a typo before in your life?

In a piece of text that has been edited for presentation to a wide audience? No. Those are corrected by a review process.

Re:

[Inquisitus]

Then the GP should've said "edit", not "type", since the wording suggested he was aiming his complaint at the submitter. Can't these people express themselves clearly anymore?

Re:

[sortius_nod]

Having worked for a newspaper, I can assure you that they still make mistakes. Hell, the paper I worked for even got the date on the front page wrong (a year out) once due to a typo.

Get off your high horse & join us all in reality.

Re:Can't you people type properly anymore?

[man_of_mr_e]

This has nothing to do with Microsoft. First, this is targeting classic ASP and Cold Fusion, that's a 15 year old technology that nobody uses anymore and a non-MS technology. Second, sql injection attacks are all about the application code, not the framework.

Re:

[mspohr]

If you read the linked pages, it does appear that this is due to a vulnerability in MSSQL... so yet again (and we are all "shocked"), this has Microsoft's fingerprints all over it.

Re:Can't you people type properly anymore?

[Richard_at_work]

I've read the linked pages, it's not a vulnerability in MSSQL, it's injected code which targets MSSQL so the blame lies with the application.

Re:

[L4t3r4lu5]

I'm not even a developer, and even I know the phrase "Sanitise your inputs".

There's no excuse for injection vulnerabilities. None.

Re:

[bloodhawk]

You seem to have some reading comprehension problems, it is NOT a MSSQL vulnerability at all, it is bad application programming which then allows an attacker to leverage MSSQL with malicious code.

Re:

[Anonymous Coward]

ASP is likely still more used than ASP.NET.

ColdFusion apologist

[aclarke]

ColdFusion (it hasn't been "Cold Fusion" since 1998) has had parameterized SQL commands for a decade. The problem is that there is still a high percentage of ColdFusion developers who are not educated enough to know what they are or why they should use them.

CFML is such an easy language to program in that it encourages people who have not taken the time to learn the appropriate software engineering basics. It's a bit of a double-edged sword, really. Also, there's still a lot of 10+ year old ColdFusion

Re:

[bloodhawk]

The exploit doesn't depend on ASP, it depends on poor code written by application developers in ASP or Cold fusion. You can't blame the technology for bad application developers.