I’ve been reading the many posts regarding Windows 7 and the free version of Avast producing false positives and the installation of Win7 SP1. I have a family website with many ASP pages and all of a sudden I started getting Trojan warnings on my Win7 machine when accessing a certain page that displays blog results from a SQL database. The page itself had not been altered in several months and there are other pages with similar script that work just fine. Win7 SP1 was installed in late February and I don’t recall accessing the page until last night. I was doing some Firefox/IE9 CSS homework when I ran across the problem. I uninstalled Avast and reinstalled but got the same results. I have several other machines with Avast and XP Pro and they work ok. Can someone tell me if this is likely to be an Avast problem and that they are working on a solution? Thanks, Riley.
I have a family website with many ASP pages and all of a sudden I started getting Trojan warnings on my Win7 machine when accessing a certain page that displays blog results from a SQL database.what is the problem URL... post it unclickable ( hxxp or wxw )
you may also post a screen shot of the avast warning
Thanks for the quick response. http://www,southbeaton.com.
On the left side navigation, Family Blogs, click on Glenda or any one of them,
<img src=“http://www.southbeaton.com/trojan.jpg”
Sorry about the image link, can’t seem to quickly figure it out.
Sucuri Scanner say infected
Looks as you have LizaMoon
http://en.wikipedia.org/wiki/LizaMoon
http://norman.com/security_center/security_center_archive/2011/sql_injection_reaches_pandemic_proportions/en-us
http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
Your site is infected/hacked by an SQL injection attack, points to a malicious site lizamoon.com.
There are three injected script tags (see image1 of a single injected script) on what I believe is the blogresults.asp page (image2) these script tags are after some of the [nobbc][/nobbc] closing tags.
The site is hosted at networksolutions.com. Like I said earlier, it’s been some time since I’ve messed with the script. I recently changed some links but no SQL logic that I can think of. I tend to use the same asp script on each page, just change the tables or fields as needed. Do you think it’s the way I wrote the code? Also, you would think that network solutions would be making an issue of it. And why do you think an XP Pro machine accesses the same page ok? I appreciate the feedback very much. Riley
The exploit/hacking of sites is normally down to old content management software, like SQL, PHP, Joomla, Wordpress, etc.
- See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/.
- Also see, Help: I Got Hacked. Now What Do I Do? http://technet.microsoft.com/de-de/library/cc512587(en-us).aspx.
- Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.
I have to admit I’m surprised at networksolutions.com being your host not being hot on keeping any server side software up to date. I would certainly report this SQL injection attack to them.
Thanks DavidR for the response. Do you think I could have got infected locally, (Texas) and pushed the infection north to NS? I keep my machine checked often and have been running Avast for well over 5 years. Like most family sites I don’t check web pages everyday but like I said earlier I just happened to test a few pages after some CSS changes. Your saying the issue is with NS?
You guys are right, I looked inside the DB at NS and Liza is all over the place. Thanks again, I’ll get in touch with NS. You just assume the issue is somewhere besides NS. Thanks again, Riley.
ps - I realize now that I could not have done it either. Today is the first time I’ve been inside the DB in 3 or 4 months.
This might be of interest. Out of 33 tables in the database that could be infected, only one, the BLOG table, was infected. Do you think a client (family) could have infected the DB when viewing and updating? There is another PW protected private site that allows family members to make blog entries and upload pictures but I would not have thought a client could get past NS SQL servers. I’m on hold with NS right now.
You’re welcome.
You only need look at the first link that Pondus gave to see that this is a massive attack and not a localised one.
The blogresults.asp (active server page) page is one that is created using software I would guess provided by the Host NS, I’m surprised it is only in the one table. But there is possibly nothing to stop it having done the same in others.
If and when you report this to NS and just mention two things SQL Injection attack and lizamoon, I wouldn’t be surprised if they knew exactly what has happened. I would also thing that they have more than one such problem with other sites that they host.
So right now with the mention of blogging software, ensure that whichever version you use ensure that that is the latest version.
I just scanned it with Sucuri.
Did someone clean it up or did I get the website URL wrong?
I think you must have got the URL wrong as it is still reported as infected by Succri, image as that Posted by Pondus earlier today.
Sorry I haven’t answered – yard work. I did contact NS and they acknowledged the DB was corrupt. I went into the infected table and cleaned a couple of rows just to make sure I could and left the rest for NS to look at. I carefully checked all other 32 tables but all were clean. When I logged in a couple of minutes ago I could see the infected table had been cleaned by NS and I checked the blog web pages and they work correctly. I have not heard from NS but expect to. The pages and the site are all coded manually on my work station. I just publish at NS mainly because of access to MS SQL which I’m familiar with. I still use MS FrontPage (from many years ago) because I like the way the FTP function works and I can see my table and div layouts as I’m working. Photoshop is used for the graphics. With the hidden site for DB updating there is about 150 pages total. There is only about four of us in the family actively posting to the DB and I checked with them this morning and they’ve done nothing lately, plus the table dates were old. The infection must have come from NS. You guys have the correct link, http://www.southbeaton.com and click on any one of the Family Blog links on the left-side navigation. Thanks to everyone for helping. Riley
Not so much from NS but possibly through NS if they are the ones that provide the SQL software (don’t know if that would be MySQL or some other flavour) and or if they provide any MS Frontpage functionality on site.
Well alt least we aren’t getting an alert, did a quick check on the Leslie and Kelly links and you have another problem an error, see image, OLE DB error. What would concerns me more however, is the information given in that error, I don’t know if that gives too much info, e.g. your username, if that couldn’t be used to try and gain access.
When I set up the database about six years ago the password rules were a little more relaxed than they are now. When I went in make some changes today NS forced me to change my PW. Needless to say, I just now remembered to change all my include files on the web site so if anyone was checking my work and got a SQL error – well it’s fixed.
Well Sucuri is now happy and say CLEAN 
You guys are pretty sharp. Of course I fixed the error (check last post) but that doesn’t mean it can’t happen again. I’ll have to do some homework to see how to mask the errors. At least the PW doesn’t show up. It is MS SQL 2005. Thanks.
Tips for Cleaning & Securing Your Website http://www.stopbadware.org/home/security
Sucuri http://sucuri.net/about