One Million Web Pages Attacked By Lilupophilupop

hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."

1 million pages?

[grahamsaa]

The google query in the post returns "about 288,000" results, many of which come from the same domains. While agree that this is serious, the claim that 1M pages have been attacked (and who really cares about pages anyway -- the number of sites / domains seems far more important to me) seems exaggerated.

Re:Resolving lilupophilupop.com... failed: Name or

[hankwang]

Strange; earlier today (when I submitted the story), they were online.

The site redirected to this (http changed to hXXp): hXXp://plac41eadmi.rr.nu/n.php?h=1&s=sl
which redirected to hXXp://www3.smartnetworkzgx.Kwik.To/?92ut2bc2=Xafe2G%2BXmmKsk9Hb2KuYmuPir52umJ6tpuGxZZPJZ9agmKKkpJiY

which contained an obfuscated script that went on like this:

var xrPke='QiqpR';if('xmFR'=='ZqpZB')aSetrA();}
function ty6HJA7y3z10n0s(rFOaSw){var NLgXo="3845";var vJtxnk=132;var PmBBXq=[];var uqrx;var lTrQTu=0;

But also the kwik.to website is offline now.

Re:Can't you people type properly anymore?

[man_of_mr_e]

This has nothing to do with Microsoft. First, this is targeting classic ASP and Cold Fusion, that's a 15 year old technology that nobody uses anymore and a non-MS technology. Second, sql injection attacks are all about the application code, not the framework.

Re:Me too (but 4 DIFF. reasons)... apk

[sexconker]

Large hosts files absolutely slow down lookups.
Furthermore, he says he uses 3 different DNS servers, so he's really just getting the security of the intersection of all 3 blacklists.
He also claims his hosts file and router prevent malware from dialing home, despite the fact that such malware often has hardcoded IPs and would never need to perform a DNS lookup.

The DNS/HOSTS troll has been around for a while, but the sad thing is it's not a copy-pasta. Each post is actually unique (though similar), so there's some moron begind the AC curtain actually typing that shit out every time. This troll is most easily identified by the formatting. it always has excessive sectioning, bolding, and use of asterisks, hyphens, and parentheticals. The end is always a "beat you over the head with it" moment. In this case it's a link to a Bing search on "how to secure" Windows XP/2000.

Basically, don't feed the trolls.

Re:Can't you people type properly anymore?

[Richard_at_work]

I've read the linked pages, it's not a vulnerability in MSSQL, it's injected code which targets MSSQL so the blame lies with the application.