jsherrod - 7:28 pm on May 29, 2008 (gmt 0)

Topr8 described the exact string we saw:
?productID=10;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004 [+ hundreds more characters]

What we saw was that the database tables were dropped and repopulated exactly as they were before the attack - except a malicious script was added to the end of the field element. This is Mr. Nasty:
www (dot) killwow1(dot)cn/g (dot) js

(dot) = .

If left alone, Google perceives your site as one that is installing malware and they just remove you.

We had to clean the database - essentially decrypting the hexadecimal statement that was used for the inject and then reversing its action.

The moral of the story is to use stored procs. But since it is using the QS to inject a declare statement, an immediate defense for this attack would be to check QS for invalid characters ("<", ">", etc.) and the word "declare". If you find them, response.end and kill the page. But you have to clean the DB.

Good luck.