Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Websense warns about Lizamoon SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Websense warns about Lizamoon

This article over on the Websense blog is warning about a new mass sql-injection attack that they have dubbed "Lizamoon".  (As that's the domain that the sql injection attack is referring people to.)

By searching for the string in Google, an estimated 226,000 sites have been attacked and defaced with this method.  (We know that the numbers from Google aren't accurate, we are putting them there to display the size of the attack -- BIG.)

While I don't necessarily agree with the title of the article (implying that iTunes is infected), this attack and the Mysql attack from earlier this week are just more examples of how there isn't enough emphasis put on preventing sql injection.

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 Joel

454 Posts
Mar 31st 2011
Thread locked Subscribe Mar 31st 2011
9 years ago
the domain lizamoon-com has been disabled already.

I haven't found new domains being used, but I know they are being generated.
 HackDefendr

65 Posts
Quote Mar 31st 2011
9 years ago
Change that ... http://ddanchev-blogspot-com has a nice list of domains used, all of which seem to be down as well.
 HackDefendr

65 Posts
Quote Mar 31st 2011
9 years ago
Linked article quotes: "The domain lizamoon.com was registered three days ago with clearly fake information"

I've said for years now that domain registration needs to be controlled better... and this is a prime example.
 Anonymous
Quote Mar 31st 2011
9 years ago
Other domains:

hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats48.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://system-stats.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://stats-master11.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://social-stats.info/ur.php
hxxp://extra-service.info/ur.php
http://sol-stats.info/ur.php
 mc

2 Posts
Quote Apr 1st 2011
9 years ago
I am now trying to work on a quick-fix for infected sites. For this I need examples of infected files. Please help by uploading your infected web-sites at http lizamoon.tenea.eu
 mc
1 Posts
Quote Apr 2nd 2011
9 years ago

Sign Up for Free or Log In to start participating in the conversation!