Lilupophilupop tops 1million infected pages

Published: 2011-12-31. Last Updated: 2011-12-31 07:33:00 UTC
by Mark Hofman (Version: 1)
6 comment(s)

Earlier in the month we published an article regarding the lilupophilupop.com SQL injection attacks (http://isc.sans.edu/diary.html?storyid=12127).   being a month onwards I though it might be a good time to reflect on this attack and see how it is going. 

When I first came upon the attack there were about 80 pages infected according to Google searches.  Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).
Just to give you a rough idea of where the pages are:

  • UK - 56,300
  • NL - 123,000
  • DE - 49,700
  • FR - 68,100
  • DK - 31,000
  • CN - 505
  • CA - 16,600
  • COM - 30,500
  • RU - 32,000
  • JP - 23,200
  • ORG - 2,690

If you want to find out if you have a problem just search for "<script src="http://lilupophilupop.com/" in google and use the site: parameter to hone in on your domain. 

If you are still looking then check the logs for the strings in the earlier article. That should find them.  If you are interested in sharing web logs please let me know.  Just filter them for error code 500 events and send those through, then I'll likely ask for a follow up trying to determine the earlier reconnaissance events. 

At the moment it looks like it is partially automated and partially manual.  The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.

Cheers

Mark H
 

Keywords:
6 comment(s)

Bye 2011, Hello 2012, what will you have in store for us?

Published: 2011-12-31. Last Updated: 2011-12-31 06:57:26 UTC
by Mark Hofman (Version: 1)
2 comment(s)

With the last day of the year well and truly on the way in most parts of the world and almost finished in my part of the world it is probably a nice time to reflect a little bit on the year that was.  Seems to be popular on the various news channels so it is only fair that we have our own.

On the vulnerabilities front there were of course the usual Microsoft one, culminating in MS11-100 yesterday which ensured all admins have a wonderful day.  I guess the good news is that it is 6 less than last year? Adobe had its fair share throughout the year and is still a very popular target. 

We saw some waves of different types of attacks. A lot of SSH brute force attacks as well as FTP attacks.  We had quite  a few reports of DDOS attacks throughout the year, some in the Gbps range.  Malware of course is still one of the bigger problems and whilst users can and do click "yes" and Security products primarily use blocklists that will remain a problem. 

We had some interesting issues with SSL throughout the year, Apache and of course in the last few days ASP.net. 

So what will 2012 bring us?

IPv4 allocations are no longer, so whether we like it or not IPv6 is going to be featuring on many of our future projects list for 2012. If you haven't looked at it yet, now is a good time to start reading and playing in the labs.  Many security tools are not all that cool with IPv6 yet and some won't be until consumers start asking the question.

On the malware front I predict more of the same.  The basic things are still working, so why change.  Until the basic security controls are in place in most organisations as well as home computers most of the malware will continue to function without too much change in 2012.  We might see more tailored attacks on oranisations and breaking in is as simple as one click in many cases. 

On the security product front I can't see to many changes.  No doubt there will be more products in the "cloud". Cloud computing will remain sexy in 2012 and until there is a major, major insertfavouritewordhere-up there probably will not be too many changes on that front.  Don't get me wrong there is a place for cloud computing, but not for everything or everyone.  There will probably be more of a push by firewall vendors into application awareness in their products. AV vendors already are and will continue to push into whitelisting applications rather than blocklisting. Hopefully people will start considering switching it on. 

Anyway that is enough of my predictions.  If you have a significant event for 2011 that you would like to contribute or a prediction for 2012 feel free to comment or submit via the contact form. 

From all of us here at the Internet Storm Center all the best wishes for the new year.

Mark H

Keywords:
2 comment(s)

Comments


Diary Archives