There has been a lot of talk for the last few days about a mass sql injection targeting IIS/ASP.net sites.
Those attacks has been going for a while and the lizamoon.com/ur.php is not the only domain being used to distribute the malware, making the attack a lot bigger than what has been reported.
For example, the alisa-carter.com/ur.php caused more than 900 domains to get blacklisted and google reports more than 500k URLs infected with it.
These are just some of the other domains being used. If you search for each one on Google you will find thousands of references (all injected on IIS sites, using the same ur.php scheme and hosted on similar locations):
Most of those were registered by:
James Northone firstname.lastname@example.org
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
Registrant Name:Vasea Petrovich
Registrant Postal Code:76549
Registrant Phone Ext.:
Registrant FAX Ext.:
We posted more details on these types of attacks when the first one hit almost a year ago: Mass infection of IIS/ASP sites – robint.us
A good way to check if your site is infected, is by using our malware scanner. If you see IIS:4 as the malware code, you know what happened.
If you have any questions or need help cleaning it up, let us know. If you need immediate clean up assistance, visit our Sign Up page.