The first thing we observed when we analysed the attack which included an iframe pointing to a malicious website in hundreds of thousands of web pages was that all the compromised websites were in servers with IIS and MSSQL. Initially, the most likely hypothesis was that some known exploit was being used to attack some of these platforms.
However, after a deeper analysis, we observed that it was not a vulnerability in IIS or MSSQL Server, but some badly programmed asp code, which compromised the websites hosted in these IIS servers with MSSQL.
The asp code we show below (“orderitem.asp”), interacts with a MSSQL database, which allows the use of SQL injection techniques in order to insert data in the database, in such a way that it was possible to include the iframe in the hosted websites.
For security reasons, the whole asp code has not been included.