ebouwsema - 8:06 pm on May 27, 2008 (gmt 0)

any tips for finding the injection in the web log files?

If you have analytics that can show you a large amount of hits at one time (within a matter of minutes, even seconds) that will usually limit it down - the bot seems to hit quite quickly in a series of requests - more than a user or even a normal search engine would crawl. Also, if you know where they might have exploited your site, look for requests to that page, that will usually limit it down. We found that there was often a common string/word in the request (for the SQL attack) and grep-ing for that string limited it down quite a bit - though it returned a whole lot of data so only so useful :-).