Hi there, well, I am opting to post how they got in and how to fix public, so anyone here can fix their servers, if need be.
They got in through an HTTP Attack, as BlackIce Firewall monitored it. They exploited a “Web Server Folder Traversal” Vulnerability is Microsoft IIS 4.0 (applies to IIS 5.0 too). Without going into a huge amount of detail on the flaw in Microsoft IIS, here in the Security Bulletin Page, which links to the patch you can download and install for both IIS 4 and 5
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp Basic, they used the address line to copy their files into my webserver folders and also in each subfolder below. In my case, they only hit the main folder and 5 subfolders. The files they copied into there were:
index.htm
default.htm
default.asp
index.asp
For some reason, in my case, their attempts to overwrite default.htm only worked on 2 of the 5 folders. But, those pages I had with default.htm have been destroyed....thankfully nothing import, just my tribute pages to Airwolf and The A-Team (wouldnt I like to hire THOSE guys right now!).
What you wanna do, and this is a pain in the arse, is get on the Microsoft TechNet listserver for security updates, and try to stay up to date with bugfixes and security fixes.
As to Linux vs IIS/Microsoft, both are victims. Our Linux DNS servers have been invaded twice, both times holes in BIND (ADMROCKS attacks)...and this is our 2nd big breach thru IIS. So, neither is inpenetrable...so now isnt the time to say whose servers are better...both perform splendidly if one stays in the loop with notices of bugs and fixes.
Asides that, update the firewall software weekly and do the same for your antivirus software. We had a guy from russia breach our system to copy backorfice once...while he did get in, the minute he uploaded backorfice, Norton AntiVirus automatically quarintined the file and made it off limits, fouling that hackers attempt.
Be loaded for bear, cuz not all the neighbors play nice.
------------------
Paul J. BusiereAces High Arena handle: BD5Pilot
http://bd5.checksix.net BD-5 "T" (TurboProp) 90% complete, first flight in 2001 (We hope!)