Between Lizamoon and Willsy, looking for worms spreading through web attacks on a large number of domains can suck. Using postmodern's gscraper, I wrote a quick script that can check for infection using the same techniques as google-hacking.
It's located at https://github.com/jbc22/Is-Domain-Infected/ . Inside the script, there's a place for you to change the query strings based upon what the current worm does. In the case of Willysy, it's needed to check for:
- http://willysy.com/images/banners/
- http://exero.eu/catalog/jquery.js
(For a writeup, see:
http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html)
