Lilupophilupop tops 1million infected pages - SANS Internet Storm Center

Lilupophilupop tops 1million infected pages
Earlier in the month we published an article regarding the lilupophilupop.com SQL injection attacks (http://isc.sans.edu/diary.html?storyid=12127). being a month onwards I though it might be a good time to reflect on this attack and see how it is going. When I first came upon the attack there were about 80 pages infected according to Google searches. Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this). Just to give you a rough idea of where the pages are: UK - 56,300 NL - 123,000 DE - 49,700 FR - 68,100 DK - 31,000 CN - 505 CA - 16,600 COM - 30,500 RU - 32,000 JP - 23,200 ORG - 2,690 If you want to find out if you have a problem just search for "<script src="http://lilupophilupop.com/" in google and use the site: parameter to hone in on your domain. If you are still looking then check the logs for the strings in the earlier article. That should find them. If you are interested in sharing web logs please let me know. Just filter them for error code 500 events and send those through, then I'll likely ask for a follow up trying to determine the earlier reconnaissance events. At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period. Cheers Mark H	Mark 392 Posts ISC Handler Dec 31st 2011
Thread locked Subscribe	Dec 31st 2011 1 decade ago
Hi, 'd know tell me what type of infection you use??? I can see the code sl.php? sorry for my bad English thanks a lot	Anonymous
Quote	Jan 2nd 2012 1 decade ago
Amazing that the domain is still active and has never been taken down	dayglo 5 Posts
Quote	Jan 2nd 2012 1 decade ago
I'm not at all amazed that the site is still up. See http://google.com/safebrowsing/diagnostic?site=AS:48691 for an idea of why.	dayglo 5 Posts
Quote	Jan 2nd 2012 1 decade ago
Can a simple cable or ADSL user block this network? Is it possible when they had BGP compatible routers and connections? Will it be better with IPv6?	Anonymous
Quote	Jan 3rd 2012 1 decade ago
For a home user, opendns.com is probably the simplest (free) way to protect yourself against this and other threats. You could also just add an entry to the "hosts" file on your system for that domain, but this will only block this one domain and will be harder to manage. From my testing, browser blocklists like Firefox's "safe browsing" feature block the domain already.	Johannes 4515 Posts ISC Handler
Quote	Jan 3rd 2012 1 decade ago
Ok about the123.000 hitting in NL are mainly from one site 1. everything that ends with .vakantieland.nl (approx 48.000 hits) the rest is mostly refering to the threat, so less fuss then expected....	Johannes 1 Posts
Quote	Jan 4th 2012 1 decade ago