The Liza Moon attack targets Microsoft SQL Server installations injecting javascript tags into website files. Although we are primarily using Unix/Linux servers I performed some scans using the following to check for lizamoon infection:
find . -type f -exec egrep “\<script src=http\:\/\/.*\/ur\.php” {} \;
On Windows Server I used Powershell and the following command:
Get-ChildItem * -Recurse | Select-String -Pattern ur.php