Which exploit(s) were used to attack the system?
WEB-IIS msadc/msadcs.dll access
http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2
http://www.securityfocus.com/vdb/bottom.html?vid=529
http://www.microsoft.com/technet/security/bulletin/MS99-025.asp


spp_http_decode: IIS Unicode attack detected
WEB-MISC http directory traversal
http://www.securityfocus.com/bid/1806
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp


How were the exploits used to access and control the system? 
IIS Unicode attack and the RDS Exploit were both used to poke around the system, ftp files to the system, and open a command prompt over a netcat session.

What was done once access was gained? 
They used ftp to copy samdump.dll, pdump.exe, nc.exe, and whiskers.tar.gz to the system and then tunneled a command prompt over netcat.  
Executed pdump.exe and created a repair disk to get a copy of the SAM.  They used the netcat session that was waiting on port 6969 and 6968.

An attacker at 202.85.60.156 renamed the index.html file and created a blank index.html.  They also created a test.txt file.
I don't know if this was the original attacker or not, they just connected to the netcat session that was waiting on port 6868.

How could this attack been prevented? 
Microsoft has released patched for both of these issues.

Unauthorized Access to IIS Servers through ODBC Data Access with RDS 
http://www.microsoft.com/technet/security/bulletin/MS99-025.asp

IIS Unicode
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp


How much time did you spend on this analysis and writeup? 
It took about an hour to run it through snort and get a basic idea of the intrusions.  I spent about 5 more hours looking at the details.
I examined the log file with Ethereal.  I chose Ethereal because of the nice "follow TCP Stream" function, it doesn't convert the Unicode characters
in the ASCII view, and it uses tcpdump style filters.