Hi malware fighters,
The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger,
and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. We experience a renewed use of these attacks in 2009, which started during 2007 - see links explaining:
http://www.theregister.co.uk/2009/04/02/new_sql_injection_attack/
http://securitywatch.eweek.com/exploits_and_attacks/sql_attacks_-_half_a_million_sites_already_owned.html
Who’s behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today’s SQL injectors have a built-in reconnaissance capabilities, links:
http://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines.html
http://ddanchev.blogspot.com/2007/05/google-hacking-for-vulnerabilities.html
polonus