Before I discuss some of the more technical details regarding defense against “lizamoon” and similar attacks, an important note I would like to make to any business executives who may stumble across the article or hear it secondhand:
if you’re doing ecommerce… is a must!
In an ideal scenario, all developers should follow good coding practice such as SQL Command Parameterization, but realistically, especially depending heavily on the coding language behind used, sometimes this is either difficult or simply forgotten.
PCI Compliance, or at least awareness of OWASP and PCI DSS 2.0 security standards should be an important thought for anyone who is currently in or looking to get into ecommerce.
These standards help outline specific safeguards, and in the case of compliance, certify these safeguards with assessment scans that help developers identify and fix potential security flaws.
This latest exploit, currently live and in the wild at the time of writing this blog, is getting quite some fame for it’s scope of number of businesses affected.
As far as rarity or complexity, the attack is simply some cleverly crafted SQL Injection, which can be avoided altogether using SQL Command Parameterization.
However, if you were victimized by this attack and are utilizing a system which your developers did not implement, you’re in a much tougher scenario since you probably cannot modify the code directly or even identify the attack’s point of entry.
As a quick fix and temporary workaround until a patch for your system is release, to resolve this, go through the following checklist:
1) Find out which ecommerce or web platform you’re using which has been compromised and open a support ticket/initiate a support call with your vendor.
2) Research with your webmaster, provider or IT department if you are using shared or cloud hosting, virtual dedicated hosting or dedicated.
3) If you are using shared hosting, begin migration to a virtual dedicated or dedicated host, since you will not be able to make the necessary changes for the workaround fix on a shared or cloud host.
4) If you are on a virtual or fully dedicated plan, or newly migrated from shared hosting, note if you have a Windows or Linux machine.
5) On Windows, navigate to C:\windows\system32\drivers\etc\, on Linux go to /etc/. Note this path.
6) On Windows, open up notepad (right click and run as administrator if on Vista or later), on Linux open your favorite text editor as root or superuser.
7) In your text editor, open the “hosts” file located at the path you noted in step 5.
8) Add a new line pointing the lizamoon domain to your loopback address. (see code below)
How this works:
The hosts file maps machine names and domains to IP Addresses (although not vice versa), and overrides the resulting IP address you would otherwise receive from your DNS provider.
In terms of your ecommerce site, this translates to users clicking on a link on your site affected by the exploit, but instead of being directed to lizamoon.com like the attackers intended (no one knows yet why they are doing this..), the users will instead be bounced back to your site root (usually the homepage).
This gives you enough time to hunt down or wait for a more permanent patch, without putting your shoppers at increased risk and at least averting danger temporarily. I would highly advise anyone affected by this attack however to consider PCI auditing or at least security consultation regarding their ecommerce or web application.