LizaMoon Malware Detection

Critical Nessus Network Monitor Plugin ID 5880

Synopsis

The remote web server seems to have been compromised by LizaMoon.

Description

The remote web site seems to link to malicious javascript files hosted on a third party web site related to the LizaMoon Malware. This typically means that the remote web site has been compromised, likely through SQL injection, and it may infect its visitors as well.

Solution

Restore your website to its original state and audit your dynamic pages for SQL injection vulnerabilities.

See Also

http://isc.sans.edu/diary/LizaMoon+Mass+SQL-Injection+Attack+Infected+at+least+500k+Websites/10642

http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx

Plugin Details

Severity: Critical

ID: 5880

File Name: 5880.prm

Family: Backdoors

Published: 2011/04/06

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 29871

Risk Information

Risk Factor: Critical

Vulnerability Information

Vulnerability Publication Date: 2011/03/29