The Lizamoon SQL injection attack is not new; it’s actually part of a continuous SQLi attack that spans the past seven months. Lizamoon.com is just one of the more recent of the 40+ malware domains that have been used in the ongoing injection attacks. Here are some quick facts regarding the SQLi / Lizamoon compromises:
- A total of 42 malware domains have been observed during the 7 months this attack has been ongoing;
- The first encounter Cisco ScanSafe recorded was 20-sep-10 21:58:08 GMT;
- Only 0.15% (zero point one five percent) have involved encounters with functional / active malware domains;
- 99.85% of encounters have involved malware domains that were non-resolvable (shutdown / offline) at the time of encounter;
- 55% of the encounters occurred on March 25th when the Lizamoon domain was added;
- The high rate of encounters on the 25th was solely due to a single high profile website that was compromised;
- Of the Lizamoon encounters on March 25th, only 0.13% were encounters with the live domain. 99.87% were non-resolvable (i.e. the domain was offline / not delivering content).
Here's the current list of domains we've observed in these attacks, from September 2010 through March 31, 2011:
agasi-story.info
alexblane.com
alisa-carter.com
ave-stats.info
books-loader.info
eva-marine.info
extra-911.info
extra-service.info
general-st.info
google-stat50.info
google-stats44.info
google-stats45.info
google-stats47.info
google-stats48.info
google-stats49.info
google-stats50.info
google-stats54.info
google-stats55.info
google-stats73.info
lizamoon.com
milapop.com
mol-stats.info
multi-stats.info
online-guest.info
online-stats201.info
people-on.info
pop-stats.info
security-stats.info
social-stats.info
sol-stats.info
star-stats.info
stats-master11.info
stats-master111.info
stats-master88.info
stats-master99.info
system-stats.info
t6ryt56.info
tadygus.com
tzv-stats.info
urllizamoon--com.rtrk.co.uk
world-stats598.info
From: http://blog.scansafe.com/journal/2011/4/1/lizamoon-sql-injection-7-months-old-and-counting.html
Thanks to: Mary Landesman