Lilupophilupop tops 1million infected pages

Published: 2011-12-31
Last Updated: 2011-12-31 07:33:00 UTC
by Mark Hofman (Version: 1)
6 comment(s)

Earlier in the month we published an article regarding the lilupophilupop.com SQL injection attacks (http://isc.sans.edu/diary.html?storyid=12127).   being a month onwards I though it might be a good time to reflect on this attack and see how it is going. 

When I first came upon the attack there were about 80 pages infected according to Google searches.  Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).
Just to give you a rough idea of where the pages are:

  • UK - 56,300
  • NL - 123,000
  • DE - 49,700
  • FR - 68,100
  • DK - 31,000
  • CN - 505
  • CA - 16,600
  • COM - 30,500
  • RU - 32,000
  • JP - 23,200
  • ORG - 2,690

If you want to find out if you have a problem just search for "<script src="http://lilupophilupop.com/" in google and use the site: parameter to hone in on your domain. 

If you are still looking then check the logs for the strings in the earlier article. That should find them.  If you are interested in sharing web logs please let me know.  Just filter them for error code 500 events and send those through, then I'll likely ask for a follow up trying to determine the earlier reconnaissance events. 

At the moment it looks like it is partially automated and partially manual.  The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.

Cheers

Mark H
 

Keywords:
6 comment(s)

Comments

Hi,

'd know tell me what type of infection you use???

I can see the code sl.php?

sorry for my bad English

thanks a lot
Amazing that the domain is still active and has never been taken down
I'm not at all amazed that the site is still up. See http://google.com/safebrowsing/diagnostic?site=AS:48691 for an idea of why.
Can a simple cable or ADSL user block this network?
Is it possible when they had BGP compatible routers and connections?
Will it be better with IPv6?
For a home user, opendns.com is probably the simplest (free) way to protect yourself against this and other threats. You could also just add an entry to the "hosts" file on your system for that domain, but this will only block this one domain and will be harder to manage. From my testing, browser blocklists like Firefox's "safe browsing" feature block the domain already.
Ok about the123.000 hitting in NL are mainly from one site
1. everything that ends with .vakantieland.nl (approx 48.000 hits)
the rest is mostly refering to the threat, so less fuss then expected....

Diary Archives