One Million Web Pages Attacked By Lilupophilupop

hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."

1 million pages?

[grahamsaa]

The google query in the post returns "about 288,000" results, many of which come from the same domains. While agree that this is serious, the claim that 1M pages have been attacked (and who really cares about pages anyway -- the number of sites / domains seems far more important to me) seems exaggerated.

Re:1 million pages?

[flatcat]

Unfortunately Firefox with NoScript is preventing me from enjoying this new version of Adobe.

Google search

[d3ac0n]

Turns up lots of tiny little "backwater" sites run by small businesses. Not surprising they would get nailed, they are the most vulnerable.

But...

Do I see ITT Tech in there as a victim?

Ouch!

Re:Google search

[cdrudge]

Do I see ITT Tech in there as a victim?

No, that's just part of their Information Systems and Cybersecurity degree program.

Hosted in.. Transnistria

[Dynamoo]

The malware site is hosted by Specialist Ltd in Transnistria, who are a totally black hat operation. They can get away with it because almost nobody recognises the existence of Transnistria, so it is effectively outside the reach of international law enforcement.

Re:Hosted in.. Transnistria

[drinkypoo]

Great, maybe I can get them to host my website when you're no longer allowed free speech on the internet in the USA.

Re:Hosted in.. Transnistria

[boristdog]

Wasn't the transnister invented there?

Re:Hosted in.. Transnistria

[mapkinase]

Well, if freedom for you is to be able to say bad things about USA, then you are fine. Then Brezhnev's Russia had all the freedom:

Brezhnev meets Reagan and the latter complains that Russia does not have freedom of speech, giving an example: "In US, everybody can go in front of White House and shout: Reagan is an idiot". Brezhnev retorts: "You can do the same in Russia: you can go to Red Square and shout: Reagan is an idiot".

Re:Hosted in.. Transnistria

[Noughmad]

Would that be the transistor that says Ni?

Misleading Title?

[BoRictor]

https://www.google.com/search?q=%22script+src=%22http://lilupophilupop.com/sl.php%22 shows only 286,000 results. Where did 1 million come from?

Re:Resolving lilupophilupop.com... failed: Name or

[hankwang]

Strange; earlier today (when I submitted the story), they were online.

The site redirected to this (http changed to hXXp): hXXp://plac41eadmi.rr.nu/n.php?h=1&s=sl
which redirected to hXXp://www3.smartnetworkzgx.Kwik.To/?92ut2bc2=Xafe2G%2BXmmKsk9Hb2KuYmuPir52umJ6tpuGxZZPJZ9agmKKkpJiY

which contained an obfuscated script that went on like this:

var xrPke='QiqpR';if('xmFR'=='ZqpZB')aSetrA();}
function ty6HJA7y3z10n0s(rFOaSw){var NLgXo="3845";var vJtxnk=132;var PmBBXq=[];var uqrx;var lTrQTu=0;

But also the kwik.to website is offline now.

Re:Can't you people type properly anymore?

[pclminion]

So I guess you've never made a typo before in your life?

In a piece of text that has been edited for presentation to a wide audience? No. Those are corrected by a review process.

Classic ASP?

[Synerg1y]

I'm wondering...

classic asp + mssql combos aren't that common? It's usually iis (asp.net) + mssql or asp + mysql. Coldfusion isn't that large either.

As other people have said not even close to 1 million sites, point being there's probably not a million sites that run these combos.

Re:Me too (but 4 DIFF. reasons)... apk

[pclminion]

Doesn't having a million-entry host file have some drawbacks? I expect either the whole thing is cached in memory (assuming 128 bytes per cache entry that's over 128 MB to cache the thing), or the file is linearly scanned every time you resolve a hostname, slowing down every single name resolution enormously. Either of those would kind of suck.

Re:Can't you people type properly anymore?

[man_of_mr_e]

This has nothing to do with Microsoft. First, this is targeting classic ASP and Cold Fusion, that's a 15 year old technology that nobody uses anymore and a non-MS technology. Second, sql injection attacks are all about the application code, not the framework.

Re:Me too (but 4 DIFF. reasons)... apk

[sexconker]

Large hosts files absolutely slow down lookups.
Furthermore, he says he uses 3 different DNS servers, so he's really just getting the security of the intersection of all 3 blacklists.
He also claims his hosts file and router prevent malware from dialing home, despite the fact that such malware often has hardcoded IPs and would never need to perform a DNS lookup.

The DNS/HOSTS troll has been around for a while, but the sad thing is it's not a copy-pasta. Each post is actually unique (though similar), so there's some moron begind the AC curtain actually typing that shit out every time. This troll is most easily identified by the formatting. it always has excessive sectioning, bolding, and use of asterisks, hyphens, and parentheticals. The end is always a "beat you over the head with it" moment. In this case it's a link to a Bing search on "how to secure" Windows XP/2000.

Basically, don't feed the trolls.

Oh noes not Adobe Flash!

[maple_shaft]

... Oh man I was worried for second! I thought the summary claimed that the javascript redirected you to download Adobe Flash. I was relieved to find out that it was a fake Adobe Flash download. Far less dangerous.

Re:Can't you people type properly anymore?

[Richard_at_work]

I've read the linked pages, it's not a vulnerability in MSSQL, it's injected code which targets MSSQL so the blame lies with the application.

Re:Can't you people type properly anymore?

[bloodhawk]

You seem to have some reading comprehension problems, it is NOT a MSSQL vulnerability at all, it is bad application programming which then allows an attacker to leverage MSSQL with malicious code.

ColdFusion apologist

[aclarke]

ColdFusion (it hasn't been "Cold Fusion" since 1998) has had parameterized SQL commands for a decade. The problem is that there is still a high percentage of ColdFusion developers who are not educated enough to know what they are or why they should use them.

CFML is such an easy language to program in that it encourages people who have not taken the time to learn the appropriate software engineering basics. It's a bit of a double-edged sword, really. Also, there's still a lot of 10+ year old ColdFusion code out there that hasn't been touched in a long time because it "still works", except, of course, that it doesn't, as we can see from this example.

Re:Can't you people type properly anymore?

[L4t3r4lu5]

I'm not even a developer, and even I know the phrase "Sanitise your inputs".

There's no excuse for injection vulnerabilities. None.