OK, so I did sit down with the server logs this morning (IISLogViewer is a nice free utility for IIS, btw), and as Anthony mentions that was the problem. I'm seeing several places where they hit my search.asp file with a query of "letter=n" (normal query) followed by ";DECLARE%20 at S%20NVARCHAR(4000);SET%20S=CAST(0X..." So it looks as though I need to go through and see where the ball was dropped. As a follow up question, while the discussion turned to DB permissions, I see that the SA user has access to a lot of stuff. I know that I changed the password for it, but couldn't I just disable it? Thanks again for all of your help and input. Todd "The things that break you hopefully make you stronger - eventually?" -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Anthony Baratta Sent: Sunday, May 25, 2008 12:51 PM To: thelist at lists.evolt.org Subject: Re: [thelist] Website Hacked? Joel D Canfield wrote: > I just checked, and the account I'm using to access the database doesn't > have 'write' permission to the table that was damaged. Seems like a > pretty fundamental break in the chain, so I must be missing something. > > I'm confused again. Check the Web Server Logs in the time just before the DB was compromised. You should find the extended URL strings and the name of the file they used to inject the data. -- Anthony Baratta "Unfortunately, because so many Americans buy into the politics of envy, politicians have a leg up in enacting measures that cripple economic growth." ---Walter Williams -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !