LizaMoon SQL Injection attack affects 380k+ URLs including iTunes

This seems like the week for SQL Injection attacks. First, MySQL.com was attacked and passwords from the site were extracted and published on the web. Now an attack called LizaMoon is running rampant throughout the internet and, according to the alert published by security company WebSense, has impacted over 380,000 unique URLs in the past few days.

One of the high profile sites that has been hit by the attack is Apple's iTunes, although the way the site handles the scripting tags appears to prevent the rogue code from running on a user's machine. If not properly secured, this could have been a big black stain on Apple's reputation.

Users who want to identify sites that have been impacted by the attack can use a simple Google search, replacing apple.com with the site of interest.

"src=http://lizamoon.com/ur.php" site:apple.com

The server that the script is redirecting users to is currently offline and not available to pings, but could be restarted at any time. Before the site was shutdown, the JavaScript redirected users to a fake antivirus site in an attempt to trick users into installing and running the software. The site was registered on March 25th to a James Northone and while the information about the domain is clearly falsified on the WebSense article, a current look at the domain now shows that the owner's address is in Plainview, NY. It's unclear if this information is now accurate or if the attacker simply made up fake information to prevent the authorities from shutting it down quickly.

Report a problem with article
Previous Story

Windows 8 to allow software acceleration, makes Aero ubiquitous

Next Story

Twitter officially kills the #Dickbar

44 Comments

Commenting is disabled on this article.

I am now trying to work on a quick-fix for infected sites. For this I need examples of infected files. Please help by uploading your infected web-sites at http lizamoon.tenea.eu

Abdullah007 said,
Its just a bot searching the s**t everywhere and google is indexing those pages XD DIEEEEEEEEEE

Yes, it is a bot, but it is mass defacing websites at an astonishing rate. When you search for it on Google, you're correct, we can't search html code - the results are the misses - where the injected code failed/has been sterilized. It's not in a position to execute. But if you visit one of those sites, there is a high probability that your browser session will be hijacked. All it takes is one of those instances to be unsterilized, and it will execute.

NOD32 yelled at me for trying to Google w/ it .

Access to the web page was blocked by ESET Smart Security.
The web page is on the list of websites with potentially dangerous content.

GreyWolf said,
social.technet.microsoft.com infected

Just because a site is infected with the script doesn't mean that the script will actually execute correctly in that environment.

Tom W said,

No that's just people enquiring about the code...!

It's in the page source, too. Do a search with "site:microsoft.com" and pull the source for a Technet social page that comes up as a hit.

I'm confused here, SQL injection or script injection??

And basically this thing has been inject into more than 380k URLs and nobody knows how?

DeMo_BR said,
I'm confused here, SQL injection or script injection??

And basically this thing has been inject into more than 380k URLs and nobody knows how?

The SQL server data was modified to add the malicious code to pages when they're rendered. Often it happens becaues of a flaw in the software that allows the malicous code to be sent stuck on the end of a forum post, for example.

GreyWolf said,

The SQL server data was modified to add the malicious code to pages when they're rendered. Often it happens becaues of a flaw in the software that allows the malicous code to be sent stuck on the end of a forum post, for example.

If we're talking about iTunes, I highly doubt that it's a SQL Server backend.

DeMo_BR said,
I'm confused here, SQL injection or script injection??

And basically this thing has been inject into more than 380k URLs and nobody knows how?

brain infection

bj55555 said,

If we're talking about iTunes, I highly doubt that it's a SQL Server backend.

I think we can safely assume assume that GreyWolf mean't "SQL Database Server".

Majesticmerc said,

I think we can safely assume assume that GreyWolf mean't "SQL Database Server".

In fact scratch that, according to the BBC website, the attack is aimed at "SQL Server 2003 and 2005", which I assume means "Windows server 2003 and MS SQL Server 2005".

Alansonit said,
Why I used LinQ instead of SQL for my project. As far as I am aware SQL injections via LinQ are impossible.

What's "LinQ"? Do you mean "LINQ"?

Alansonit said,
Why I used LinQ instead of SQL for my project. As far as I am aware SQL injections via LinQ are impossible.
Only a fool believes their IT systems are impossible to break.

n_K said,
Only a fool believes their IT systems are impossible to break.

Mine's unplugged, disconnected from the network, behind a 10' thick slab of steel with three armed guards surrounding it.

n_K said,
Only a fool believes their IT systems are impossible to break.

Mine's unplugged, disconnected from the network, behind a 10' thick slab of steel with three armed guards surrounding it.

Fezmid said,

Mine's unplugged, disconnected from the network, behind a 10' thick slab of steel with three armed guards surrounding it.
+1 better keep it that way

Fezmid said,

Mine's unplugged, disconnected from the network, behind a 10' thick slab of steel with three armed guards surrounding it.

Isn't there that whole thing about the security vs convenience

n_K said,
Only a fool believes their IT systems are impossible to break.

Well, sh*t, nobody thinks that. The issue is whether or not you can do it with something trivial like script injection.

Fezmid said,

Mine's unplugged, disconnected from the network, behind a 10' thick slab of steel with three armed guards surrounding it.

LOL

I always wondered when sql injection attacks would grow. The problem is with more and more people learning the web scripting languages and their flaws more like this and xss attacks will spread.

I am always surprised when high income companies have issues like this, but you never know how rushed the people where who did the code to get the project done. When it comes to personal websites, I expect to see more issues like this because sometimes the people are just learning or are novices.

Please people learn how to protect your sites/scripts from issues like this. I used to run a popular forum and I always had to be up on the scripts that ran the forum because they seemed to have exploits fairly often. I am glad I dont have to mess with it on that scale anymore.

Holoshed said,

I am always surprised when high income companies have issues like this, but you never know how rushed the people where who did the code to get the project done. When it comes to personal websites, I expect to see more issues like this because sometimes the people are just learning or are novices.

Cause money.
if you are a developer and you product is a masterpiece then you can sell it and nothing more, may be you will be called for a expansion or a update but nothing else more. And, if you product is a piece of sh*t then you will not be called anymore. However, if you product is fine but far from perfect, then you will be called regularly for do support and maintenance.

Is pretty easy to do a foolproof system but it required a extra development time that very few customers are willing to pay also, the more security measures then the more resources it will use.

Holoshed said,
I always wondered when sql injection attacks would grow. The problem is with more and more people learning the web scripting languages and their flaws more like this and xss attacks will spread.

I am always surprised when high income companies have issues like this, but you never know how rushed the people where who did the code to get the project done. When it comes to personal websites, I expect to see more issues like this because sometimes the people are just learning or are novices.

Please people learn how to protect your sites/scripts from issues like this. I used to run a popular forum and I always had to be up on the scripts that ran the forum because they seemed to have exploits fairly often. I am glad I dont have to mess with it on that scale anymore.

Yes, mostly the problems are with developers and because of their lack of knowledge on properly sanitizing data, but this particular exploit is mostly because of security hole in MySQL (this is my belief and havent read full about it) and it can be used for any webserver running default MySQL stack because the hackers who have hacked it had submitted the bug/security hole to MySQL in January but when there was no response they started mis-using it.

Shishant said,
because of their lack of knowledge on properly sanitizing data, but this particular exploit is mostly because of security hole in MySQL

It is actually due to your first point. It is not a security hole in MySQL - it is simply doing the commands you are giving it, there is no context of the application that is sending the commands so MySQL does not have any idea what is supposed to be coming in. It is simply developers not sanitizing/escaping all user input in their code.