More Than 1 Million URLs Infected with Latest SQL Injection Attack

The "Lilupophilupop" SQL injection campaign has infected 1,070,000 URLs as of last weekend, according to the SANS Internet Storm Center.

This is up substantially from when the SQL attack was first noticed by SANS at the beginning of December -- the security firm only found 80 corrupted URLs. The cause of the quick spread is due to both computer and human input.

"At the moment it looks like it is partially automated and partially manual," wrote Mark Hofman, a SANS Internet Storm Center handler, in a company blog post. "The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period."

According to SANS estimates, Netherlands Web sites (ending in the .NL domain) are the No. 1 victim, with 123,000 infected URLs, with France coming in second with 68,100 hijacked Web site addresses.

However, the more than 1 million sites estimated to be infected may be higher than the reality. According to Mary Landesmann, a ScanSafe security researcher (which is now part of Cisco), the number provided by SANS also may include Web sites discussing the Lilupophilupop attack, due to the fact that the company's data was compiled by performing Google searches.

"As a result, there is always a huge 'increase' [of keyword activity] after an initial public report is made, said Landesmann to Security Dark Reading. "In other words, counting the number of results from a search engine isn’t a good or viable means of measuring the breadth of a compromise."

The Lilupophilupop attack, named after the Web site infected URLs redirect to, is a basic SQL injection that could lead to an attacker gaining access to a user's database of Internet content, including passwords, credit card information and other personal data.

This newest SQL injection incident works in the same fashion as last year's LizaMoon attack, which was responsible for redirecting as many as 1.5 million URLs to a fake and malicious antivirus download.

As with all untrusted Web sites, always use caution and make sure your antivirus is up to date. Hofman also suggests the specific action of checking to see whether a site may have fallen victim to the Lilupophilupop injection attack: "If you want to find out if you have a problem just search for '<script src="' in Google and use the site: parameter to hone in on your domain."


About the Author

Chris Paoli is the site producer for and


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.