If you're worried about SQL injection in your applications there are several steps you can take.
Firstly, you should periodically scan your app. Both Burp Suite[1] and Netsparker[2] have free versions of their excellent tools. Burp Suite Pro comes with a very capable scanner and is about $250 (£175). Netsparker Community Edition is a fairly good automated scanner, but it doesn't cover all forms of SQL injection and the full version is quite expensive.
Running Wordpress? Head to Sucuri[3] and get your wordpress scanned. If you haven't upgraded already, now's the time.
Once you've done that, things vary according to your language and platform. Generally OWASP[4] is the font of (almost) all knowledge. You can test the app but if you wrote it you're probably more familiar with the code, so looking at how you handle user-supplied input and applying consistent changes where needed is probably your best bet. If you get really stuck, there are plenty of security geeks on HN, or alternatively you can drop me an email (address in my profile) and I'll see if I can answer your question. Alternatively if you're in London, come to DC4420[5] next month, there's going to be about 200-300 security geeks there, many of whom would be happy to help with specific questions in exchange for a beer. I'll be one of them.
Been watching this sucker for weeks.... it's pretty persistent but pretty dumb - keeps hitting servers that don't actually have any SQL or other backend storage at all... so I just let it hammer away (I figure if it's wasting it's time on me, it's not hurting someone else)
presumably looking for ur.php in the logs I would imagine.
SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands. In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia.
If you click to include omitted results, the number of results stays at 631k when you get to the last page they will show you.. (1000 results max) Though I don't think it would be hard to imagine that the actual number is far fewer.
It sounds more like cross site scripting to me than SQL injection. In SQL injection you try to coax a database engine into performing a previously unintended action by carefully crafting content that is part of a query.
If this attack works by storing the data in the original (intended) field and just happens to bypass the JavaScript filters then it's XSS and not injection.
It's fairly easy to find the low-hanging SQLi vulns on a site automatically, but automatically exploiting them is tough. How do you know where you are in the query, what table/fields to modify/insert into, etc? I'd love to take this apart and figure out how it works.
I went to a presentation once by a guy who does pen testing for banks. He showed us how a script can run google searches for potentially vulnerable sites, and attempt sql injection attacks against them. When vulnerable sites are found, the trick is to query system tables to get the names of all tables in the database, and then just suck everything down for analysis later. He claimed the Russian mob is doing it.
Any info on what exactly the exploit does and which databases are targeted? I'm impressed that an indiscriminate injection attack is so successful on a wide range of websites.
Look I am not trying to start a flamewar here, but if his code is developed without knowledge of sql injections then they are almost certainly vulnerable.
It is almost impossible to fuck up prepared statements, so although they take longer to write it is a good way to secure a website.
Firstly, you should periodically scan your app. Both Burp Suite[1] and Netsparker[2] have free versions of their excellent tools. Burp Suite Pro comes with a very capable scanner and is about $250 (£175). Netsparker Community Edition is a fairly good automated scanner, but it doesn't cover all forms of SQL injection and the full version is quite expensive.
Running Wordpress? Head to Sucuri[3] and get your wordpress scanned. If you haven't upgraded already, now's the time.
Once you've done that, things vary according to your language and platform. Generally OWASP[4] is the font of (almost) all knowledge. You can test the app but if you wrote it you're probably more familiar with the code, so looking at how you handle user-supplied input and applying consistent changes where needed is probably your best bet. If you get really stuck, there are plenty of security geeks on HN, or alternatively you can drop me an email (address in my profile) and I'll see if I can answer your question. Alternatively if you're in London, come to DC4420[5] next month, there's going to be about 200-300 security geeks there, many of whom would be happy to help with specific questions in exchange for a beer. I'll be one of them.
[1] - http://www.portswigger.net/
[2] - http://www.mavitunasecurity.com/
[3] - http://www.sucuri.net/
[4] - http://www.owasp.org/index.php/SQL_Injection_Prevention_Chea...
[5] - http://www.dc4420.org/