Between Lizamoon and Willsy, looking for worms spreading through web attacks on a large number of domains can suck. Using postmodern's gscraper, I wrote a quick script that can check for infection using the same techniques as google-hacking.
It's located at https://github.com/jbc22/Is-Domain-Infected/ . Inside the script, there's a place for you to change the query strings based upon what the current worm does. In the case of Willysy, it's needed to check for:
(For a writeup, see: http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html
Post a Comment