Lilupophilupop tops 1million infected pages
Earlier in the month we published an article regarding the lilupophilupop.com SQL injection attacks (http://isc.sans.edu/diary.html?storyid=12127). being a month onwards I though it might be a good time to reflect on this attack and see how it is going.
When I first came upon the attack there were about 80 pages infected according to Google searches. Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).
Just to give you a rough idea of where the pages are:
- UK - 56,300
- NL - 123,000
- DE - 49,700
- FR - 68,100
- DK - 31,000
- CN - 505
- CA - 16,600
- COM - 30,500
- RU - 32,000
- JP - 23,200
- ORG - 2,690
If you want to find out if you have a problem just search for "<script src="http://lilupophilupop.com/" in google and use the site: parameter to hone in on your domain.
If you are still looking then check the logs for the strings in the earlier article. That should find them. If you are interested in sharing web logs please let me know. Just filter them for error code 500 events and send those through, then I'll likely ask for a follow up trying to determine the earlier reconnaissance events.
At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.
Cheers
Mark H
Comments
'd know tell me what type of infection you use???
I can see the code sl.php?
sorry for my bad English
thanks a lot
drotha2
Jan 2nd 2012
1 decade ago
dayglo
Jan 2nd 2012
1 decade ago
ibdb
Jan 2nd 2012
1 decade ago
Is it possible when they had BGP compatible routers and connections?
Will it be better with IPv6?
Jack
Jan 3rd 2012
1 decade ago
Dr. J.
Jan 3rd 2012
1 decade ago
1. everything that ends with .vakantieland.nl (approx 48.000 hits)
the rest is mostly refering to the threat, so less fuss then expected....
sHone
Jan 4th 2012
1 decade ago