I have a Windows 2008 server running IIS 7.5. Recently a couple of websites had ASP files uploaded which contained links to another website presumably created by black hat SEO hackers. It was to promote mostly Louis Vuitton fake products. This article explains it perfectly:
I found that this was done in two ways:
1. An exploit file called search.asp was uploaded
2. The web.config file was modified to add a rewrite for a specific URL pattern to point to another file the hacker uploaded to the compromised site.
The server is fully up to date with the latest security patches and I tried to find reference to the uploaded files in the IIS logs but to no avail.
Does anyone have any advice on how I can locate the source of the hack and therefore plug the vulnerability?