Lilupophilupop SQLi Attack: One Million URLs Infected

Thursday, January 05, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

SANS' Internet Storm Center handler Mark Hofman reports that the Lilupophilupop SQL injection attack first identified in early December, 2011 has quickly spread to as many as one million URLs.

Hofman was careful to note that the actual number of infected pages has not yet been determined, but nonetheless the number of URLs jeopardized has rapidly increased in short time period.

"When I first came upon the attack there were about 80 pages infected according to Google searches. Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this)," Hofman writes.

Hofman suggests that the rate of infection may be due partially to automated replication as well as the authors having a well organized and sizeable team of technicians working to spread the exploit.

"At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period," Hofman continued.

Early analysis shows infection rates per country as follows:

  • UK - 56,300
  • NL - 123,000
  • DE - 49,700
  • FR - 68,100
  • DK - 31,000
  • CN - 505
  • CA - 16,600
  • COM - 30,500
  • RU - 32,000
  • JP - 23,200
  • ORG - 2,690

"If you want to find out if you have a problem just search for "< s c r i p t   s r c = " h t t p : / / l i l u p o p h i l u p o p . c o m / " [omit additional spaces] in google and use the site: parameter to hone in on your domain. If you are still looking then check the logs for the strings in the earlier article. That should find them. If you are interested in sharing web logs please let me know. Just filter them for error code 500 events and send those through, then I'll likely ask for a follow up trying to determine the earlier reconnaissance events," Hofman advised.

Source:  https://isc.sans.edu/diary.html?date=2011-12-31

Possibly Related Articles:
13156
Vulnerabilities
SQl Injection SANS Attack Vulnerabilities Headlines infection Website Security exploit Lilupophilupop Internet Storm Center Mark Hofman
Post Rating I Like this!
Default-avatar
jassica john Do you have a car that has become very old and not working for you according your needs? You want to replace you car with a new car. And you are planning for the sale of such a car.
http://www.pileandcompanyconsulting.com
1393233862
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.