I haven't see this posted here. There is a nasty root exploit that affects CentOS and CloudLinux. From various discussions I've read no one has yet found the cause. The rootkit puts file /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
I know CentOS is pretty popular and many hosts use it so if I were you I'd check the thread at http://www.webhostingtalk.com/showthread.php?t=1235797 and also this blog post http://www.cloudlinux.com/blog/clnews/sshd-exploit.php .There is a link to a bash script to clean this up, however, since this is a root exploit it's probably better to reload the OS. Those files might not be the only nasties that this dropped on the box.
This is pretty nasty. One user reported a clean install of CentOS on a new server and it was exploited in minutes.
The thread at WHT is long with a lot of good info so make sure you read it all.
I lockdown the default member group. The only thing they can do is post threads and replies. Nothing else. After 25 posts they get promoted to a new group which has full member permissions. I also use NenaDice hook to disallow links in posts until 25 posts.
Somewhere there is a file/image that is behind a password protected dir that is loading on those pages or you have files loading from a dir that is not accessible by IIS.
Do you have some of your files placed outside the web root?
If you do have granted access to those directories to the NETWORK user?
How is PHP setup? The correct setup for the best security is to create a user with a strong password, give it permissions to read, write and modify on the web root and any folders outside the web root that you use to serve content. Then set that user as the app pool user in IIS manager.