At the beginning of December researchers from the Internet Storm Center spotted a relatively limited SQL attack – about 80 affected pages – redirecting visitors of legitimate websites to malicious ones serving fake AV and fake Adobe Flash. Now, little over a month later, the number of affected websites surpassed one million and became officially large enough for sounding the alarm again.
The attack was dubbed “Lilupophilupop” by the researchers after the domain to which the victims are redirected. The offending string is typically introduced into several tables, and sites running ASP or ColdFusion with an MSSQL backend are targeted primarily.
At the beginning, the attack looked completely automated and was spreading rapidly, but researcher Mark Hofman says that it now seems to be partially automated and partially manual. “The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period,” he concluded.
The attackers first probed systems for vulnerable pages and tried to establish which product was being used. This went on for a couple of weeks, and from a variety of IP addresses, and once a vulnerable page has been found, the script was inserted.
“If you want to find out if you have a problem just search for:
in Google and use the site: parameter to hone in on your domain,” he advises, and warns that identifying the entry page is crucial for cleaning the site. “If you restore your DB and bring the system back online without identifying the entry point, then it will only be a matter of time before the system is re-compromised. When looking at fixing the problem do not forget that this vulnerability is a coding issue. You may need to make application changes.”