• It’s LizaMoon All Over Again

    The state of website security has been steadily improving over the last few months. Website owners and administrators are beginning to wake up to the fact that malicious hackers can use legitimate, benign, websites to spread malware on the Internet. However, there is along way to go.

    Just recently we have seen a spike in the number of incidents associated with LizaMoon infections we documented a while back. We have recorded approximately 6.3 million websites infected by malware as part of this SQL injection attack.

    Read about LizaMoon in our first report: LizaMoon Hack: Mass SQL Injection

    What links are injected?
    Some of the most popular pieces of malware are being injected as scripts.

    Samples are listed below:

    src=hxxp://bookvoxy.com/ur.php
    src=hxxp://online-stats201.info/ur.php
    src=hxxp://vcvsta.com/ur.php
    src=hxxp://asweds.com/ur.php
    

    Additional samples closely associated with the LizaMoon infection:

    hxxp://multi-stats.info/ur.php
    hxxp://alisa-carter.com/ur.php
    hxxp://google-stats50.info/ur.php
    hxxp://tadygus.com/ur.php
    hxxp://google-stats49.info/ur.php
    hxxp://google-stats50.info/ur.php
    hxxp://milapop.com/ur.php
    hxxp://pop-stats.info/ur.php
    hxxp://sol-stats.info/ur.php
    hxxp://worid-of-books.com/ur.php
    hxxp://google-server12.info/ur.php
    hxxp://online-guest.info/ur.php
    hxxp://google-stats48.info/ur.php
    hxxp://general-st.info/ur.php
    hxxp://stats-master111.info/ur.php
    

    Which sites are aiding the attack?
    This blog entry (thanks, Dynamoo!) confirms our findings that these links are not only used in the distribution of malware but also in SEO poisoning campaigns.

    Below is a list of sites used to spread the fraudulent SEO campaign as well as distribute malware.

    bookmono.com
    bookmylo.com
    bookaros.com
    bookarra.com
    booknunu.com
    bookavio.com
    bookgusa.com
    bookmonn.com
    bookpolo.com
    bookdolo.com
    bookfula.com
    booksoco.com
    bookvoxy.com
    booksolo.com
    booktuba.com
    bookvila.com
    bookvivi.com
    booksgou.com
    

    Who owns these malicious sites?
    The registrant for these fake sites is a common entity:

    James Northone (jamesnorthone@hotmailbox.com)
    +1.5168222749
    fax: +1.5168222749
    128 Lynn Court
    Plainview, NY 1180
    USA
    

    How do I protect my site?
    Webmasters and administrators should search for instances of each malicious link in their sites to ensure that they remove all occurrences of the injected links. More importantly, it is critical to identify the cause of the SQL injection that allowed the site to be compromised.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    Till next time…

    • […] We have also blogged extensively about the lizamoon attacks, about a year or so ago, here. […]

      Posted by Experts explain: SQL Injection – stopthehacker.com – Jaal, LLC on January 17th

    • […] We have also blogged extensively about the lizamoon attacks, about a year or so ago,┬áhere. […]

      Posted by What is a SQL Injection? « OzHosting.com Blog on February 2nd