Server 2003 - IIS 6 - Hacked
We've been having a bit of trouble with some Iranian hackers (calling themselves the Iran Security Team) hitting our school's webserver repeatedly. When it started, they were just dumping phoney 'index.html' and 'index.php' files to the root folder of our website (luckily our ACTUAL index page runs within a nested folder, so there was no interruption). Then they stepped it up and left hacking tools embedded in web pages. Now they've left files which open web pages requiring a password - having done some research it seems hackers can use a loophole in IIS which means that a site requiring password authentication can be used to step up privillages...so now they're getting WRITE privileges and managed to delete a whole bunch of important files! So it's getting worse!
We deleted all their files (after gathering as much info as we could from them) and ran a system update on the server. Loads of security updates got patched, but they still hit us again. I've run the update service once more and there was one more patch, but that's it. I don't have faith that this single patch will save the day, so does anyone have any suggestions?
We are running IIS 6 on Server 2003. All of the erroneous files were created by the IIS Anonymous User Account (IUSR_*serverName*) - so I suspect it's something to do with tying that down. I determined this by right-clicking the phoney files - the Security tab showed permissions set for IUSR_*serverName*...however this account does not show for any of our legitimate files...
Is it something to do with the Anonymous IIS Account? Am I barking up the wrong tree?
...suggestions are much appreciated!