Nevertheless, I suspect the site that was hacked was not running IIS.
It was (and is) Linux/Apache, but the exploit was executed by someone with physical access to the machine, not from a network attack.
No computer is safe from people with physical access.