A very inexpensive solution for blocking FTP Attacks on IIS servers can be found at: http://www.ftpblocker.com/ It is very useful for smaller business who don't have hardware firewalls or sniffers to block these attacks.

Ive been trying to write a filter based on __VIEWSTATE but I can only get it to scan and filter based on the viewstate if I use ScanAllRaw=1 URLScan rule: [ViewState] AppliesTo=.asp,.aspx DenyDataSection=ViewState Strings ScanUrl=0 ScanAllRaw=1 ScanQueryString=0 ScanHeaders= [ViewState Strings] -- %3b...

This thread will contain the latest information regarding recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306...

I would advise anyone affected by this attack to activate the SQL profiler (or equivalent) and set it to record only EXEC commands. If your website then becomes infected again you can quickly scroll through the profiler output and find the "suspicious" command where the injection has entered...