Well, it really depends on what their version of the ry3.asp file did. If it is a s'kiddie, they probably did not edit the asp in it. But if it is someone with a little bit of knowledge, they could have written in any code they wanted into your exsisting asp files. The Server.CreateObject("Scripting.FileSystemObject") has the ability to append code into files, which means they could have opened up several backdoors into your system. They quite possibly could have gotten into your databse and mucked with it also.

They deleted the ry3.asp file from the server, so there is no real way of knowing exactly what they did or did not do. What I would probably do is check the last modified dates of your servers files. Anything modified after the date of the attack is for all intensive purposes lost, and should be removed and changed over with a backup copy. If it were me, I would redo the entire box itself. Once they had control over the server, they easily could have executed commands on the server itself. Check your logs to see if any commands were executed on the box itself, as the FTP user, etc etc...

Getting hacked is no fun at all. Learn from your mistakes, and make sure to check all the file permissions in the server before going live. One of the biggest mistakes webmasters do is leave a file full access, for ease, and say to themselves "Oh I'll go back later to lock it down". It very rarely happens.



As far as how they got in in the first place? Not sure. You will have to look around your server to see if any webcode allows people to upload stuff to your server. If so, that is how they got in.

Happy hunting.

xmad