SQL Injection Attacks

Some of you may have noticed (hopefully not) that your sites or sites you visit have been victims of a SQL Injection attack that is referring to scripts at either wowyeye.cn or direct84.com.  It primarily works against sites that have SQL Server as a database and seems to be targeting primarily ASP and ASP.Net sites.  I have seen a few references to PHP sites and the like, but not many.

There is not a lot of information out there about this, but the best page I have found describing the problem is here: http://hackademix.net/2008/04/26.  I am not going to rehash everything on that page, but if you are uncertain if you have been hacked, I have taken the script that is behind this and modified it for the powers of Good.

DROP TABLE #SCRIPTTABLE  
GO

CREATE TABLE #SCRIPTTABLE (TABLENAME VARCHAR(200), COLUMNNAME VARCHAR(200),RECORDCOUNT INT)

DECLARE @T VARCHAR(255), @C VARCHAR(255);  
DECLARE TABLE_CURSOR CURSOR FOR  
SELECT A.NAME, B.NAME  
FROM SYSOBJECTS A, SYSCOLUMNS B  
WHERE A.ID = B.ID AND A.XTYPE = 'U' AND  
(B.XTYPE = 99 OR  
B.XTYPE = 35 OR  
B.XTYPE = 231 OR  
B.XTYPE = 167);

OPEN TABLE_CURSOR;  
FETCH NEXT FROM TABLE_CURSOR INTO @T, @C;  
WHILE (@@FETCH_STATUS = 0) BEGIN  
PRINT @T + ' ' + @C  
EXEC(  
'INSERT INTO #SCRIPTTABLE SELECT ''' + @T + ''',''' + @C + ''', COUNT(*) FROM [' + @T + '] WHERE [' + @C + '] LIKE ''%<SCRIPT%'''  
);  
FETCH NEXT FROM TABLE_CURSOR INTO @T, @C;  
END;  
CLOSE TABLE_CURSOR;  
DEALLOCATE TABLE_CURSOR;

SELECT * FROM #SCRIPTTABLE WHERE RECORDCOUNT > 0  

I hope this can be of use to somebody.  I encourage you to check your database to see if you have been attacked and are not aware.  I also encourage you to use the best practices out there and make sure that your code is as protected against these kinds of attacks as you are able. 

Good Night, and Good Luck.

*UPDATE:http://www.0×000000.com/?i=556 has a lot of good information regarding this attack. 600,000+ sites have been hit now.