One Million Web Pages Attacked By Lilupophilupop

hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."

1 million pages?

[grahamsaa]

The google query in the post returns "about 288,000" results, many of which come from the same domains. While agree that this is serious, the claim that 1M pages have been attacked (and who really cares about pages anyway -- the number of sites / domains seems far more important to me) seems exaggerated.

Re:1 million pages?

[flatcat]

Unfortunately Firefox with NoScript is preventing me from enjoying this new version of Adobe.

Re:1 million pages?

[Qzukk]

The google query in the post returns "about 288,000" results

Right now, there are 28800 pages defaced by this attack.

Based on the ISC Diary page with it's update dated August, this has been going on for months.

Re:1 million pages?

[Qzukk]

Bah. "international time" is ISO 8601. Writing the date "8/12/2011" is "intentionally confusing to everyone else time".

Re:1 million pages?

[dww]

Google generally hides duplicate pages on a site. However if you use Advanced Search it finds "About 942,000 results", which is near enough a million, especially as some sites will have started clearing up infected pages by now.

Resolving lilupophilupop.com... failed: Name or se

[buchner.johannes]

hmm ... lilupophilupop.com is unreachable for me.

Google search

[d3ac0n]

Turns up lots of tiny little "backwater" sites run by small businesses. Not surprising they would get nailed, they are the most vulnerable.

But...

Do I see ITT Tech in there as a victim?

Ouch!

Re:Google search

[cdrudge]

Do I see ITT Tech in there as a victim?

No, that's just part of their Information Systems and Cybersecurity degree program.

Re:Can't you people type properly anymore?

[Inquisitus]

So I guess you've never made a typo before in your life?

Not just "backwater" sites

[Kaleidoscopio]

The web site for the Portuguese Electric Company (EDP) is there. That seems a major site by my standards. I might be suspect of course, beeing Portuguese. :D

Hosted in.. Transnistria

[Dynamoo]

The malware site is hosted by Specialist Ltd in Transnistria, who are a totally black hat operation. They can get away with it because almost nobody recognises the existence of Transnistria, so it is effectively outside the reach of international law enforcement.

Re:Hosted in.. Transnistria

[drinkypoo]

Great, maybe I can get them to host my website when you're no longer allowed free speech on the internet in the USA.

Re:Hosted in.. Transnistria

[mapkinase]

Good luck with that. This "country" leadership is Putin's lackeys.

Re:Hosted in.. Transnistria

[boristdog]

Wasn't the transnister invented there?

Re:Hosted in.. Transnistria

[drinkypoo]

Either you believe that Russia and the USA are simply working in harmony and all conflict is a ruse, in which case there is very little hope for freedom; or you should believe that they would love to see it happen, because it would make us look like assholes.

Re:Hosted in.. Transnistria

[interval1066]

Wow... read the wikipedia article on that place. Total backwater, no one knows about this "country". They still use old soviet socialist emblems on all their buildings and stationary. That's wierd in itself, but it just part of how out of the way this place is.

Re:Hosted in.. Transnistria

[mapkinase]

Well, if freedom for you is to be able to say bad things about USA, then you are fine. Then Brezhnev's Russia had all the freedom:

Brezhnev meets Reagan and the latter complains that Russia does not have freedom of speech, giving an example: "In US, everybody can go in front of White House and shout: Reagan is an idiot". Brezhnev retorts: "You can do the same in Russia: you can go to Red Square and shout: Reagan is an idiot".

Re:Hosted in.. Transnistria

[amicusNYCL]

I'm pretty sure that people recognize the existence of the cities and people there, just not their autonomy. That would mean that the area is officially recognized as part of Moldova, and it would be up to the authorities in Moldova to put a stop to it. If they can't, then maybe they don't have control over the area, and if the local government can, then maybe they deserve official autonomy. Either way, the criminals aren't out of reach.

Re:Hosted in.. Transnistria

[Noughmad]

Would that be the transistor that says Ni?

Re:Hosted in.. Transnistria

[idontgno]

No. That would be the ecky-ecky-ecky-ecky-ptang-zoop-boing-FET.

Re:Hosted in.. Transnistria

[ChatHuant]

That would mean that the area is officially recognized as part of Moldova, and it would be up to the authorities in Moldova to put a stop to it.

The options of the Moldovan leadership are limited, because of Russian interference (as it is so often in this general area). It's not a case of Transnistria deserving official autonomy as much as a case of Russia imposing their will by military force and running roughshod over the rights of other countries, and over their own legal commitments. Transnistria is only recognized as a state by a few other fly-by-night former Soviet teritorries, such as Abkhazia, but Russia has opened a consulate there, and is strongly supporting the hardcore former communists. As part of this support, Russian troops have launched artillery attacks on Moldovan forces, killing over a hundred people (see here. At this moment, units of the 14th Russian army are still illegally stationed in Transnistria and ensuring the maintenance of the status quo, despite a number of promises by the Russian leadership that they'll resolve the issue.

Re:Can't you people type properly anymore?

[ElmoGonzo]

My guess is that the T.B'er simply has no life.

Slashdotted

[Bazman]

Getting '503 Service Unavailable' when I try and wget the relevant URL. The slashdot effect for good!

Misleading Title?

[BoRictor]

https://www.google.com/search?q=%22script+src=%22http://lilupophilupop.com/sl.php%22 shows only 286,000 results. Where did 1 million come from?

Re:Misleading Title?

[drpimp]

Not to mention I didn't know you could actually search the DOM. I suspect these are the sites that html encode content from the DB so the actual script tag was rendered?

Re:Resolving lilupophilupop.com... failed: Name or

[hankwang]

Strange; earlier today (when I submitted the story), they were online.

The site redirected to this (http changed to hXXp): hXXp://plac41eadmi.rr.nu/n.php?h=1&s=sl
which redirected to hXXp://www3.smartnetworkzgx.Kwik.To/?92ut2bc2=Xafe2G%2BXmmKsk9Hb2KuYmuPir52umJ6tpuGxZZPJZ9agmKKkpJiY

which contained an obfuscated script that went on like this:

var xrPke='QiqpR';if('xmFR'=='ZqpZB')aSetrA();}
function ty6HJA7y3z10n0s(rFOaSw){var NLgXo="3845";var vJtxnk=132;var PmBBXq=[];var uqrx;var lTrQTu=0;

But also the kwik.to website is offline now.

Re:Can't you people type properly anymore?

[pclminion]

So I guess you've never made a typo before in your life?

In a piece of text that has been edited for presentation to a wide audience? No. Those are corrected by a review process.

Classic ASP?

[Synerg1y]

I'm wondering...

classic asp + mssql combos aren't that common? It's usually iis (asp.net) + mssql or asp + mysql. Coldfusion isn't that large either.

As other people have said not even close to 1 million sites, point being there's probably not a million sites that run these combos.

Re:Classic ASP?

[FormOfActionBanana]

Since when does DROP TABLE make data available??

Re:Me too (but 4 DIFF. reasons)... apk

[pclminion]

Doesn't having a million-entry host file have some drawbacks? I expect either the whole thing is cached in memory (assuming 128 bytes per cache entry that's over 128 MB to cache the thing), or the file is linearly scanned every time you resolve a hostname, slowing down every single name resolution enormously. Either of those would kind of suck.

Re:Can't you people type properly anymore?

[man_of_mr_e]

This has nothing to do with Microsoft. First, this is targeting classic ASP and Cold Fusion, that's a 15 year old technology that nobody uses anymore and a non-MS technology. Second, sql injection attacks are all about the application code, not the framework.

Re:Can't you people type properly anymore?

[Inquisitus]

Then the GP should've said "edit", not "type", since the wording suggested he was aiming his complaint at the submitter. Can't these people express themselves clearly anymore?

Re:Me too (but 4 DIFF. reasons)... apk

[sexconker]

Large hosts files absolutely slow down lookups.
Furthermore, he says he uses 3 different DNS servers, so he's really just getting the security of the intersection of all 3 blacklists.
He also claims his hosts file and router prevent malware from dialing home, despite the fact that such malware often has hardcoded IPs and would never need to perform a DNS lookup.

The DNS/HOSTS troll has been around for a while, but the sad thing is it's not a copy-pasta. Each post is actually unique (though similar), so there's some moron begind the AC curtain actually typing that shit out every time. This troll is most easily identified by the formatting. it always has excessive sectioning, bolding, and use of asterisks, hyphens, and parentheticals. The end is always a "beat you over the head with it" moment. In this case it's a link to a Bing search on "how to secure" Windows XP/2000.

Basically, don't feed the trolls.

Re:DNSBL's maybe? I'd suspect that @ least... apk

[hankwang]

I was using my ISP's DNS, but lilupophilupop.com doesn't resolve either when I use a DNS server of which I'm sure that it is not subscribed to any black lists.

Oh noes not Adobe Flash!

[maple_shaft]

... Oh man I was worried for second! I thought the summary claimed that the javascript redirected you to download Adobe Flash. I was relieved to find out that it was a fake Adobe Flash download. Far less dangerous.

OWS : immantize the Gernsback continuum now!

[Thud457]

Who the hell put William Gibson in charge of scripting reality these days?!!!

godamn, it's real

I'd like to send this letter to the Prussian consulate in Siam by aeromail. Am I too late for the 4:30 autogyro?

time here.

Re:Can't you people type properly anymore?

[Richard_at_work]

I've read the linked pages, it's not a vulnerability in MSSQL, it's injected code which targets MSSQL so the blame lies with the application.

Re:Can't you people type properly anymore?

[sortius_nod]

Having worked for a newspaper, I can assure you that they still make mistakes. Hell, the paper I worked for even got the date on the front page wrong (a year out) once due to a typo.

Get off your high horse & join us all in reality.

Re:Can't you people type properly anymore?

ASP is likely still more used than ASP.NET.

Re:Me too (but 4 DIFF. reasons)... apk

[couchslug]

APK has been "amusing" for many years, under a variety of nicks.

Google: site:arstechnica.com APK

Any psychiatrists care to chime in on the characteristic "speech patterns" in the posts?

http://www.ntcompatible.com/postprint81050.html

Although these attacks are evil in their intent...

[P-niiice]

The mechanics of their design and execution make for interesting reading. Injecting a bunch of hex that then is decoded by a second script. I can't help but repect it.

Re:Can't you people type properly anymore?

[bloodhawk]

You seem to have some reading comprehension problems, it is NOT a MSSQL vulnerability at all, it is bad application programming which then allows an attacker to leverage MSSQL with malicious code.

Re:Me too (but 4 DIFF. reasons)... apk

[fatphil]

Fortunately he's a loon who posts AC. If he were a morpher with a million different IDs, then it would be expensive to mark posts from all his IDs with a score penalty, but fortunately, all you need to do is mark AC down, and you get rid of all of his irrational ranting, and lots more besides.

HTH, HAND.

ColdFusion apologist

[aclarke]

ColdFusion (it hasn't been "Cold Fusion" since 1998) has had parameterized SQL commands for a decade. The problem is that there is still a high percentage of ColdFusion developers who are not educated enough to know what they are or why they should use them.

CFML is such an easy language to program in that it encourages people who have not taken the time to learn the appropriate software engineering basics. It's a bit of a double-edged sword, really. Also, there's still a lot of 10+ year old ColdFusion code out there that hasn't been touched in a long time because it "still works", except, of course, that it doesn't, as we can see from this example.

I actually had to look up .nu...

[Anachragnome]

I actually had to look up .nu, as I've never encountered it before.

From AegisLab Security blog in regards to this attack:

"The detailed attacking paths are as follows:

[script] hxxp://lilupophilupop.com/sl.php

            [hop] hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl

            [hop] hxxp://www3.simplerfnetwork.rr.nu

            [hop] hxxp://www1.smartscanerjkm.rr.nu

                    [download] hxxp://www1.smartscanerjkm.rr.nu "

A little Googling and some interesting reading led me to the small South Pacific island country of Niue. Never heard of it.

http://en.wikipedia.org/wiki/Niue

From that article:
"Niue purported to establish diplomatic relations with the People's Republic of China on December 12, 2007.[17] However, in light of its Constitution it is uncertain whether Niue had the capacity to enter diplomatic relations with any country. Traditionally, Niue's foreign relations and defence have been regarded as the responsibility of New Zealand, which has full diplomatic relations with China. Furthermore the Joint Communique signed by Niue and China is different in its treatment of the Taiwan question from that agreed by New Zealand and China. New Zealand "acknowledged" China's position on Taiwan but has never expressly agreed with it, but Niue "recognizes that there is only one China in the world, the Government of the People's Republic of China is the sole legal government representing the whole of China and Taiwan is an inalienable part of the territory of China."

Interesting.

A little more searching and I find this article that discusses the tax-haven aspects of Niue in terms of Chinese businessmen...

http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2447

The closing statement from that article...
"Niue's trust laws resemble the laws of offshore centers that are, or sometime were, British colonies. The important factor here is that, due to its location, Niue has become a financial center for wealthy Chinese who want to use the financial figure of offshore trusts. This means, Niue has a good prospective given the flourishing of the Chinese economy."

Indeed, the Chinese have been trying to buy their way into residency status on Niue (in effect giving them New Zealand residency status)...

http://www.niueconfidential.com/2011/03/immigration-rort-may-liquidate-company.html

I know it is a leap, but is it possible the Chinese are using Niue as a "Cyberwar base of operations"?

Re:Can't you people type properly anymore?

[bloodhawk]

The exploit doesn't depend on ASP, it depends on poor code written by application developers in ASP or Cold fusion. You can't blame the technology for bad application developers.

Re:Although these attacks are evil in their intent

[Bill+Dog]

If I'm understanding it correctly, it relies on both of the two following things being true of a given web site (besides it using an MS SQL Server backend (or maybe it also works on Sybase database product(s) which also use the T-SQL language and might still have the involved system tables in common)):
1) SQL commands constructed via string concatenation including web form text field values, and
2) No sanitization of data coming out of the database before inserting into the HTML.

Re:Me too (but 4 DIFF. reasons)... apk

[mandelbr0t]

If you're willing to do this much work to avoid malware, well, go for it. Your performance gains, when compared to network latency, are probably so slight as to be imperceptible. Personally, I use AdBlock Plus and a local DNS server, and have never had issues with either malware, unwanted ads, or network performance. To each his own. If you don't want to get modded Troll, you might want to tone down on the caps and excessive bolding. You may have a legitimate technical point to make, but it gets lost in a tone that reminds me of a child throwing a tantrum.

Re:Can't you people type properly anymore?

[L4t3r4lu5]

I'm not even a developer, and even I know the phrase "Sanitise your inputs".

There's no excuse for injection vulnerabilities. None.

Re:Me too (but 4 DIFF. reasons)... apk

[darkpixel2k]

Between a custom HOSTS file, & using "filtering" DNS servers (that specialize in blocking out malicious script & malware serving domains + phishing/spamming ones)?

Can you please tell me how to modify my HOSTS file to block your stupid use of the bold tag? Fsck.