Comment Re:We Got Hit By This (Score 5, Informative) 288
Here is a great overview of the technique that was used:
http://www.virusbtn.com/pdf/conference_slides/2009/Maciejak-Lovet-VB2009.pdf
While they are targeting IIS and MSSQL the real issue is developers that don't sanitize the parameters that get sent to the database. The SQL is encoded in at least 2 different layers, so the only keywords that appear in the URL are