"Lilupophilupop" infects a million URLs
It has been estimated that more than a million URLs have been infected with an SQL injected script. First detected by SANS ISC at the beginning of the December 2011, the attack appears to target ASP sites with Adobe Coldfusion middleware and an MSSQL database. The SQL injection resulted in a script tag being added to pages which directed browsers to import JavaScript from the "Lilupophilupop.com" domain.
SANS ISC updated their report saying that over a million URLs were infected with this malicious script tag. However, this estimate is based on a Google search for the script, is not deduplicated and does include many pages that originate from the same site. The distribution of the infections shows sites in the UK, Netherlands, Germany, France, Denmark, Canada, USA, Russia and Japan infected.
Searching today for that term shows a lower number of matches for the search query and many of the returned sites now show no obvious trace of the injected script. The lilupophilupop.com domain does not currently resolve in DNS and appears to have been blocked. The IP address that it had previously resolved to is still active and serving up the script which redirects browsers to a site serving fake anti-virus software. Records show that the IP address is part of a network based in Moldova but operating out of the area under the control of the breakaway government of Transnistria. Google's analysis of that network shows it hosts many malware sites or acts as intermediary for malware sites.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
