OK, so, for 99% of us, this goes without saying, but for the 1% of the world, I just want to reiterate how important your password security is. A client today had a sever that they provide to their client. This client insisted on having an adminstrator RDP account. It was never used. But this was also their FTP account (based on how Windows manages RDP/FTP accounts)
So, even though they NEVER used the account for RDP access, they did use it for FTP access and several different people had access to the account. Today that account was used to access RDP and created three new users. They removed IIS completely and proceeded to start installing a game server.
Really?
Because of our monitoring, we knew within 30 minutes that the server had been compromised. We got the administrator password reset and locked down RDP. We checked the integrity of the backups and then reformatted the server. Client is in the process of reinstalling ColdFusion and reconfiguring IIS.
The sites served off this server will probably be down a total of about 12 hours. The bottom line is that a user password got compromised. How this happened we will never know but we know that the IP, user and password were emailed to someone else in a single email. We also do not at present know the status of anti-virus/malware software on the various client PCs.
Always always ALWAYS run a good virus scanner on your workstations.
