We have found out that an old ASP site I have started looking after has been hacked.
1) link to a security check list
2) Free / recommended security tools
3) Put me in touch with a hacker / asp security expert to do an audit.
Any other advice?
What was hacked? The actual web pages or the database driving the pages?
Is the website hosted on a shared server? (If yes then people with another site on that server can access other sites on that same server via the FileSystemObject if the server setup for security is rubbish).
Yes as Ian has indicated, there are a number of ways an ASP site can be hacked.
I've run Windows 2000, 2003 as web servers and have been hacked several times as a result. In my cases they gained access via FTP or FrontPage Extensions. My server wasn't a production server so it wasn't a huge deal. I disabled FrontPage extensions and shut down FTP and the problem was solved.
Hackers can also get in via SQL Injection, if you have forms that send data to your database. In that case you must make sure to sanitize inputs especially if your dealing with login forms on ASP. EDIT (to clarify): They can gain access to the database via SQL Injection.
Most of the guys I've met who offer hosting on MS servers are well equipped to handle locking down an IIS server. What version of Windows Server is the site hosted on?