Attacks against IIS/ASP sites – alisa-carter dot com

Over the last few days, we’ve seen a number of sites getting hacked with a malware script pointing to http://alisa-carter.com/ur.php . It is done using the same SQL injection attack as used in therobint-us mass infection a few months ago.

Multiple domains are being used to distribute the malware, including:

http://alisa-carter.com/ur.php

http://google-stats50.info/ur.php

http://pop-stats.info/ur.php

http://sol-stats.info/ur.php

http://online-guest.info/ur.php

http://google-stats48.info/ur.php

http://google-stats49.info/ur.php

http://google-stats50.info/ur.php

http://multi-stats.info/ur.php


All of them hosted at 95.64.9.18. Google already blacklisted more than 500 sites due to this infection, and the number is growing:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 503 domain(s), including jtjy.com/, hectorandstreak.com/, kpic.or.kr/.

A good way to check if your site is infected, is by using our malware scanner. If you see IIS:4 as the malware code, you know what happened.

If you have any questions or need help cleaning it up, let us know. If you need immediate clean up assistance, visit our Sign Up page.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.