• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

LizaMoon Mass SQL injection (ur.php) – Updates

April 4, 2011David Dede

0
SHARES
FacebookTwitterSubscribe

There has been a lot of talk for the last few days about a mass sql injection targeting IIS/ASP.net sites.

Those attacks has been going for a while and the lizamoon.com/ur.php is not the only domain being used to distribute the malware, making the attack a lot bigger than what has been reported.

For example, the alisa-carter.com/ur.php caused more than 900 domains to get blacklisted and google reports more than 500k URLs infected with it.

These are just some of the other domains being used. If you search for each one on Google you will find thousands of references (all injected on IIS sites, using the same ur.php scheme and hosted on similar locations):

http://tadygus.com/ur.php
http://lizamoon.com/ur.php
http://alisa-carter.com/ur.php
http://google-stats50.info/ur.php
http://pop-stats.info/ur.php
http://sol-stats.info/ur.php
http://online-guest.info/ur.php
http://google-stats48.info/ur.php
http://google-stats49.info/ur.php
http://google-stats50.info/ur.php
http://milapop.com/ur.php
http://multi-stats.info/ur.php
http://general-st.info/ur.php
http://worid-of-books.com/ur.php
http://google-server12.info/ur.php
http://stats-master111.info/ur.php

Most of those were registered by:

Registrant Contact:
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

or

Registrant Name:Vasea Petrovich
Registrant Organization:
Registrant Street1:Varlaam
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:
Registrant Postal Code:76549
Registrant Country:MO
Registrant Phone:
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:tik0066@gmail.com

We posted more details on these types of attacks when the first one hit almost a year ago: Mass infection of IIS/ASP sites – robint.us

Some references about this new attack: websense, SANS.

A good way to check if your site is infected, is by using our malware scanner. If you see IIS:4 as the malware code, you know what happened.


If you have any questions or need help cleaning it up, let us know. If you need immediate clean up assistance, visit our Sign Up page.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Server Security, SQL Injection

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.