How to find source of black hat SEO hack on windows 2008 server running IIS7

I have a Windows 2008 server running IIS 7.5. Recently a couple of websites had ASP files uploaded which contained links to another website presumably created by black hat SEO hackers. It was to promote mostly Louis Vuitton fake products. This article explains it perfectly:
https://blog.sucuri.net/2014/10/website-security-a-case-of-seo-poisoning.html

I found that this was done in two ways:

1. An exploit file called search.asp was uploaded
2. The web.config file was modified to add a rewrite for a specific URL pattern to point to another file the hacker uploaded to the compromised site.

The server is fully up to date with the latest security patches and I tried to find reference to the uploaded files in the IIS logs but to no avail.

Does anyone have any advice on how I can locate the source of the hack and therefore plug the vulnerability?
mike99cAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
OK Mike, I'll chime in here as well then.

Repost of my questions about your IIS Server:


From an IIS standpoint:
 1. how many websites are hosted on the server?
 2. has the IIS installation been hardened?  Enhanced the config past default?
 2a. are you using inetpub to store content?
 2b. SSL certs being used?
 2c. http logging enabled & configured?
 3. what frameworks are required to operate those sites? (ASP.NET, PHP, etc)
 3a. what custom applications are required?
 4. what 3rd party CMS are required (Wordpress, Drupal, Joomla, etc.)
 5. how are the site bound to IPs?
 6. what protocols are supported?  http, https, ftp, smtp?
 7. how are the individual websites configured?
 7a. is directory browsing allowed?
 7b. 3rd party ISAPI modules installed?
 8. are you analyzing your http logs?
 9. are you analyzing your event logs?
 9a.  Application Log 1309 events are typically an indication of undesirable activity on your server.

Dan

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.