Greetings all!

I was googling for some help with an apparent security flaw in my server that allows script injection to my server that will put up 'message boxes' or even completely redirect my .asp pages and came across this place so I registered.

Windows Server 2003 SP2 Enterprise Edition.
All security updates are current.

I have a dozen web sites on it, most are Access Database driven dynamic .asp pages, an several dozen form pages for anything from contact e-mail, posting, making a purchase, to posting or uploading files.

What I know it is NOT:
WebDAV, I disabled that long ago.
Re-written pages or a direct server access breach.
A virus.
Anything else that simply re-starting the IIS web service for that web site won't fix.
And it does not effect any html pages.

I have been kicking myself since yesterday for doing this, and it makes me look like a rookie, but I know it will be helpful.

I have a form submitting system for buying a banner ad on one of 3 sites and it is saved in it's own Access DB.
I noticed right away when I remote desktoped in and opened it, and sure enough there was a new entry coinciding with when the 'hack' started and I caught a </script> tag in an entry field BUT I DELETED THE RECORD BEFORE I READ IT ALL!

I know, dumb, hence my disclaimer.
But that tells me it is form script that starts a process that does the dirty deed, and the sata doesn't even need to be saved to the DB as even after deleting that and disabling the save it was 'hacked' again.

What I am looking for is...
Something I can run either in gobal.asa or on the server itself that will prevent any of my forms from injecting script that could start any IIS process without editing every form or turning off the ability of the web sites to run script because, well, they all do.

I subscribed to this post so this is not a 'post and not come back' question.

I also know I could simply screen forms before they are sent for a <script> line and delete it, but I am not kidding about several dozen forms, maybe as many as 100, and many are long forgotten obscure ones as I have web sites over 10 years old.

Any help would be greatly appreciated.

(preview note)
Wow... I added the little image in this post itself as using it as part of my 'official sig' made it HUGE! And it wouldn't let me just use standard img tags so I just turned 'use sig' off.
Just wondering why is all as I can make a pretty small single line sig that is even somewhat entertaining to look at ;-}

Just an old Computer Guy with a new hobby KC's Kruisers Glendale Arizona, USA ;-}