Any system attached to the internet should be fully hardened with latest available patches and fixes for <b>ALL</b> running applications. The firewall should permit <b>ONLY</b> the necessary access. Block ALL unneeded ports and permit ONLY the required ports. Since this system has been hacked, you have no real way of knowing if the system has full integrity. I would recommend rebuilding the system as a Server 2008 system. Server 2000 is no longer supported by Microsoft and as you see is very vulnerable to pwning. If this hacked system is also attached to your internal network, I would recommend disconnecting it immediately as it may be used as a jump point to begin attacking internal systems. Change the passwords on <b>all</b> accounts used on the compromised server as you have no way of knowing if those have been compromised also. The best thing you can do is build a new system from scratch using the latest available software (including patches and fixes). Anything running on this W2k server is suspect. If there is a reason you must stay with Windows 2000, at least implement the free MS IISLockdown utility to limit the unnecessary feature of IIS: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en You can further disguise the fact that this is a vulnerable/outdated platform by changing the headers using a product like ServerMask from Port80 software: http://www.port80software.com/products/servermask/

Any system attached to the internet should be fully hardened with latest available patches and fixes for <b>ALL</b> running applications. The firewall should permit <b>ONLY</b> the necessary access. Block ALL unneeded ports and permit ONLY the required ports. Since this system has been hacked, you have no real way of knowing if the system has full integrity. I would recommend rebuilding the system as a Server 2008 system. Server 2000 is no longer supported by Microsoft and as you see is very vulnerable to pwning. If this hacked system is also attached to your internal network, I would recommend disconnecting it immediately as it may be used as a jump point to begin attacking internal systems. Change the passwords on <b>all</b> accounts used on the compromised server as you have no way of knowing if those have been compromised also. The best thing you can do is build a new system from scratch using the latest available software (including patches and fixes). Anything running on this W2k server is suspect. If there is a reason you must stay with Windows 2000, at least implement the free MS IISLockdown utility to limit the unnecessary feature of IIS: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en You can further disguise the fact that this is a vulnerable/outdated platform by changing the headers using a product like ServerMask from Port80 software: http://www.port80software.com/products/servermask/