Lilupophilupop multiple domain infection checker script

The following script can be used to check multiple domains for infection of the lilupophilupop.com SQL injection attacks. If you are a resposible webdeveloper then you might want to use this to check if one of your sites are infected.

First of all create a domains.txt file where you have a list of all the domains that you want to check, seperated by an enter.

Then find a webserver running php with the curl extension installed.

Paste the following code in a check.php file and upload this and the domains.txt to you webserver.

[edit]
Due to some problems with the encoding that wordpress does the following code might not work corretly. So i would recomend that you copy paste from the following link: checker.txt

<?php
// define variables
$file = "domains.txt";
$lines = file($file);

foreach($lines as $line) {
        // this string replace is done to remove the breaks from the textfile please replace the BACKSLASH with a real backslash
        $line = str_replace("BACKSLASH n", "", $line);
        $url = 'https://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=site%3A'.$line.'+"<script+src%3D"http%3A%2F%2Flilupophilupop.com%2F"';         // sendRequest
         $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_REFERER, 'schouman.info');
                $body = curl_exec($ch);
                curl_close($ch);
                // now, process the JSON string
         $json = json_decode($body);
         if (empty($json->responseData->results)){
                echo "<b>".$line."</b>";
                echo "";
                echo "clean";
        } else {
                echo "<b>".$line."</b>";
                echo "";
                echo "Number of results: ";
                print_r($json->responseData->cursor->estimatedResultCount);
                echo "";
                echo "Check all the results: <a href='";
                print_r($json->responseData->cursor->moreResultsUrl);
                echo "'>";
                print_r($json->responseData->cursor->moreResultsUrl);
                echo "</a>";
        }

        echo "";
}
?>

Run the script in your browser and see if your website was infected by the lilupophilupop.com SQL injection attacks.

For more info check:

http://isc.sans.edu/diary/Lilupophilupop+tops+1million+infected+pages/12304

http://tweakers.net/nieuws/79079/sql-besmetting-infecteert-meer-dan-een-miljoen-paginas.html

Leave a comment if there are faults or errors.

Author: michael schouman on January 2, 2012
Category: Code snippets, Compter Nerd Alert
Newer:
Older:

Leave a Reply

Last articles