Been watching this sucker for weeks.... it's pretty persistent but pretty dumb - keeps hitting servers that don't actually have any SQL or other backend storage at all... so I just let it hammer away (I figure if it's wasting it's time on me, it's not hurting someone else)
presumably looking for ur.php in the logs I would imagine.
SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands. In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia.
