SQL injection reaches pandemic proportions
The security company Websense reported 29 March of a SQL injection that affected thousands of web sites.
This injection - coined LizaMoon, since that was part of the originally inserted script - has now reached pandemic proportions, and millions of web pages are infected.
The SQL injection adds a javascript to vulnerable web pages. This has several variants - all observed by Norman have the following syntax within the script:
http://computer_name/ur.php
Some of the computer name variants are:
google-statsnumber.info
stats-masternumber.info
name.com
name.info
At least some of the different 'computer_name' seem to be unresponsive.
There is currently little information available about the vulnerability that is exploited.
According to ParaSec:
(...) there are some commonalities, all the ones I investigated were running Windows and IIS versions 5.x, 6.x and 7.x. Site were running active server pages (ASP) or coldfusion (CFM). I did not see any mainstream web applications, but in general the exploited sites had a variety of forum or CMS software. (...)
The attack has been successful against for .asp, .aspx and .cfm pages so I assume it’s using a variety of exploits.
Norman recommends that those who are responsible for web sites to check if these are infected.
We will update this advisory when more information is available.
