• LizaMoon Hack: Mass SQL Injection

    SQL injection is a technique used by malicious hackers and security researchers to inject code into a website. This mechanism exploits the improper use of input by web sites, such as the use of raw input from forms, and direct database queries using this information.

    SQL Injection continues to be a major security vulnerability. Malicious hackers can exploit SQL injection vulnerabilities to insert malware onto websites without the knowledge of the website owner.

    LizaMoon Mass SQL Injection
    Recently, Websense published a report detailing LizaMoon – what they deem to be one of the most widespread SQL injection attacks.

    This attack primarily injects the following piece of code:

    src=hxxp://lizamoon.com/ur.php
    

    This link loads a fake AV page:

    defender-uqko.in
    

    What Links are Injected?
    We appreciate the information that Websense researchers have shared so far. Perhaps we can add a little more detail to this information.

    The SQL injection attacks that we observe on a daily basis from the corpus of almost 200,000 samples of web malware. These attacks can be observed on websites everyday. They are not restricted to injecting just one malicious link inside benign web pages.

    For more information take a look at our post about how hackers can inject multiple links to compromised sites via SQL injection of benign sites.

    In this case the following link was not injected alone:

    src=hxxp://lizamoon.com/ur.php
    

    The following links were also injected:

    src=hxxp://t6ryt56.info/ur.php
    src=hxxp://sol-stats.info/ur.php
    src=hxxp://alexblane.com/ur.php
    src=hxxp://alisa-carter.com/ur.php
    src=hxxp://pop-stats.info/ur.php
    src=hxxp://sol-stats.info/ur.php
    src=hxxp://milapop.com/ur.php
    src=hxxp://multi-stats.info/ur.php
    src=hxxp://general-st.info/ur.php
    src=hxxp://worid-of-books.com/ur.php
    src=hxxp://online-guest.info/ur.php
    src=hxxp://google-stats48.info/ur.php
    src=hxxp://google-stats49.info/ur.php
    src=hxxp://google-stats50.info/ur.php
    src=hxxp://google-server12.info/ur.php
    

    Who owns these malicious sites?
    Most of the web sites seem to be registered to the following entity.

    Registrant Contact:

    Vasea Petrovich ()
    
    Fax:
    Varlaam
    Moscow,  76549
    MOSCOW
    

    Administrative Contact:

    Vasea Petrovich (tik0066@gmail.com)
    11111111111111111
    Fax:
    Varlaam
    Moscow,  76549
    MOSCOW
    

    Technical Contact:

    Vasea Petrovich (tik0066@gmail.com)
    11111111111111111
    Fax:
    Varlaam
    Moscow,  76549
    MOSCOW
    

    How Do I Protect My Site?
    Webmasters and administrators should search for instances of each malicious link in their sites to ensure that they remove all occurrences of the injected links. More importantly, it is critical to identify the cause of the SQL injection that allowed the site to be compromised.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    Till next time…

    • […] of attack known as mass SQL injection, the most prominent recent example of which was the so-called Lizamoon attack last March that corrupted an estimated 5,600 websites, according to Google researcher Niels […]

      Posted by New ‘mass-meshing’ attacks poisoning small-biz sites by the thousands | The Last Watchdog on June 15th

    • […] recent example of which was the so-called Lizamoon attack last March that corrupted an estimated 5,600 websites, […]

      Posted by Website Traffic | Technology Live: News and gadgets from our network of reporters on July 9th

    • […] Read about LizaMoon in our first report: LizaMoon Hack: Mass SQL Injection […]

      Posted by It’s LizaMoon All Over Again – stopthehacker.com – Jaal, LLC on August 25th

    • At work with sql files i usually use next sfotware-,tool is free as far as i know,it repair data from corrupted databases in the MS SQL Server format (files with the *.mdf extension),supports data extraction via the local area network,can save recovered data as SQL scripts, it is also possible to split data into files of any size,compatible with all supported versions of Microsoft Windows, such as Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Windows XP, Windows XP SP2, Windows 2003 Server, Windows Vista,tool supports the following database formats: Microsoft SQL Server 7.0, 2000, 2005,also can repair .mdf files of Microsoft SQL Server 2005, repair mdf file of Microsoft SQL Server 2005 (64-bit).

      Posted by Sosa on September 2nd