[drifter]

Just a security note for the benefit of others.

I have a Windows semi-dedicated server with the Plesk control panel.

I always have a strong password on the windows 'Administrator' user that I use for RDP access. However, until recently, I had a fairly weak password on the 'Admin' user, the one you use for logging in to Plesk. This was because we have a number of staff that need to log into Plesk from time to time and I just picked something easy for them to remember.

Problem is, one day when I logged in via RDP with the windows Administrator user, I noticed new software that I knew I didn’t install myself. First it was a german version of Firefox. Then it was various Poker software. And my staff knew nothing about it either.

This puzzled me for a while, and then I came across something interesting in the Documents and Settings folder for the Admin user. There were a bunch of cookies that would only have been created by someone logged in as the Admin user and browsing the web. And sure enough, there were ones there relating to Firefox, various poker sites and other garbage.

So what it looks like, is that someone has been logging in to my server, possibly via RDP or another method, as the Admin user, using the weak password.

I have ran various scans and removed a bunch of infected files. As far as I can tell, there is no damage done to the websites that I have been hosting.

But let this be a cautionary tale for other Windows VPS/semi-dedicated owners. Just because you only use the Admin user for logging into Plesk, doesn’t mean that someone else won’t try to exploit that username for another purpose.

Needless to say, I’ve logged in to Plesk using the Admin login and changed the password to something a lot stronger…