Lizamoon SQL Injection runs amok

I think Websense might have broke this story http://mcaf.ee/e5a9d but I’ve been tracking this thing since this morning.  The attack seems to leave [<script src=hxxp://lizamoon.com/ur.php></script>] pretty much everywhere it can – in most of the cases I’ve studied though, it does not result in a successfully exploited site as the above is echo’d verbatim.  A few sites though, however do successfully redirect to a Rogue AV site.  For the most part, lizamoon.com has been inactivve – some sites I came across appeared to have other URLs injected as well.  From the sounds of things this all started around March 25.

As for the sites compromised, there are some commonalities, all the ones I investigated were running Windows and IIS versions 5.x, 6.x and 7.x.  Site were running active server pages (ASP) or coldfusion (CFM).  I did not see any mainstream web applications, but in general the exploited sites had a variety of forum or CMS software.

Some of the source / attacking IPs:

81.200.113.123, 95.64.9.18, 91.217.162.45

If you have been a victim of these attacks, please send logs to infosec[@]parallel42.ca especially from March 25 – feel free to redact your IP address.

The attack has been successful against for .asp, .aspx and .cfm pages so I assume it’s using a variety of exploits.

Update April 2, 2011

Found some more time to look at this, so far all the attacking IPs trace back to (wait for it) the Ukraine, Romania and Russia.  I have definitely seen a considerable uptick in RBN traffic alerts in Snort lately, in retrospect, that likely begs further investigation.

Update 2

Another thing has come to my attention – as reported by many other sources, the injected malicious URLs are not only lizamoon.com, but several others (see Websense blog for list) – I’m now seeing Google results indicating one URL, but when vetting the site source code, I find a different URL.  I wonder if the attackers are re-visiting the compromised sites to update the URLs as their exploit sites are being identified and taken down.  These guys are going to get an ‘A’ for effort.

My efforts to gather log files has not yet paid off – I did find a source of numerous logs all of which came back clean.  I’ve also yet to come across anything besides ColdFusion and ASP driven sites that are infected.