got hit with iiscrack, trying to learn how it was done

[jeffrey mergler <jeffreymergler () hotmail com>]

I think I understand how this incident occurred but there are some pieces 
that I feel I do not understand.  Specifically, I would like to understand 
start to finish, how it happened, where I went wrong, and how to prevent 
it.  Here's the executive summary.

We installed IIS 5 on a server, exposed http thru the firewall in order to 
test a new web based email program that works with our mail server.  Mail 
server, IIS, new mail software all on same NT 4 box.

Unfortunately, we installed all windows update pathes but were not 
diligent enough to install this one:

IIS 5.0 Privilege Escalation Exploit (Entercept Advisory):
http://online.securityfocus.com/archive/101/209309

I am aware that not this lack of diligence here with patch installs would 
have prevented the problem.

We noticed nothing until we experienced (I guess) classic symptoms of a 
DOS attack.  Internet access was dead from all computer on the network.

After some examination of firewall logs, we realized we were being used as 
a source DDoS attack (against the US DOD no less, which infuriates me even 
more).

We cut the server off and starting looking for problems.  I found in my 
webroot/scripts folder:

a .cmd file that opened up an ftp client session, connected anonomously to 
some college server, and downloaded a file which then got renamed to 
httpodbc.dll.  this backdoor dll is the infamous exploit described above.

This fascinated me... how did this thing work?  Well I poked around and 
found this file on www.digitaloffence.net and intentionally infected a 
laptop and connected to that laptop and voila, i have cmd line control of 
the other laptop.  dang.

so, after pieceing together all of this, i am still puzzled.  i do not 
understand:

a) how the person used the vulnerability to get the cmd file onto the 
computer and executed it.  .once the dll is installed, its straihforward 
to use, and i understand complely how ftp got it there.  but how did the 
cmd file get there in the first place, and how was it executed?

b) i think that the iis priv escalation vuln is what allows the 
iiscrack.dll/httpodbc.dll backdoor to do its stuff (control the pc) but is 
that vuln also the hole that allowed the hacker to get that cmd file on 
there, which in turn started the ftp session?  I am definitely missing 
something here!

b) finally, how the did norton system security not stop that file from 
being copied/ftp'ed to the server?  when i intentionally infected a 
laptop, i had to shut off real-time fiel protection.  the hacked server 
also had this norton installed, virus defs up-to-date, and real-time file 
protection enabled.

Can someone fill in some of the missing pieces?

Thanks!!

Jeff