I meant write code that looks for
count(lookup value) = count(*)
for a table. Also, look for items in your text fields like "<script language=js>"
We've seen both of these hacks here on the site over the years. There are some other patterns you can search for that can let you know you've had an attack.