Web Site security problem

Hacking into Web Site: Another one:
One of my web sites runs on IIS 4 with NT 4 and NT service pack 6a. The site consists of asp pages with an asa page which sets sessions to the SQL 7 server for database queries. SQL 7 is running on another box and not on the Web server. I am currently experiencing a situation where several persons are using the following command to expose the username and password that is used by the asa page to create a session to the SQL server:

http://www.”Websitename”/null.htw?CiWebHitsFile=/”Foldername”/”Subfoldername”/
search.asp%20&CiRestriction=none&CiHiliteType=Full

Which security patch for IIS should be applied here?

Appreciate any help here. Thank you