ISC Diary

Earlier in the month we published an article regarding the lilupophilupop.com SQL injection attacks (http://isc.sans.edu/diary.html?storyid=12127).   being a month onwards I though it might be a good time to reflect on this attack and see how it is going. 

When I first came upon the attack there were about 80 pages infected according to Google searches.  Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).
Just to give you a rough idea of where the pages are:

• UK - 56,300
• NL - 123,000
• DE - 49,700
• FR - 68,100
• DK - 31,000
• CN - 505
• CA - 16,600
• COM - 30,500
• RU - 32,000
• JP - 23,200
• ORG - 2,690

If you want to find out if you have a problem just search for "<script src="http://lilupophilupop.com/" in google and use the site: parameter to hone in on your domain. 

If you are still looking then check the logs for the strings in the earlier article. That should find them.  If you are interested in sharing web logs please let me know.  Just filter them for error code 500 events and send those through, then I'll likely ask for a follow up trying to determine the earlier reconnaissance events. 

At the moment it looks like it is partially automated and partially manual.  The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.

Cheers

Mark H