We traced it back to someone in Turkey. They didn't do a great job of covering their tracks which is pretty unusual in my experience. Usually the only way you can tell your server has been hacked is because all the log files have been deleted. Considering how rubbish their internet connection is, they probably lost interest.
What did they do? Well... essentially used various websites that sent spam email, pretending to be from Credit Agricole Bank to thousands of email addresses in France. Pretty serious stuff. They used different websites and different bits of software to do this.
Step one is to block access to the server for them to carry on utilising the server as a gateway. Note the important thing here. The server was not hacked to access the client's data, it was hacked to use the server as a computer to send out large amounts of spam email. I often get people telling me that no one would be interested in their data and therefore they won't be hacked. Thats BS guys... and here is the proof...
So changed the admin password, uninstalled VNC off the servers. Blocked the VNC ports on the firewall. Took down what info we could of what had happened but it was more important to protect the network from further access. Uninstalled any dodgy looking software on the server.
Couple of reboots, virus scanning, going through everything with a fine tooth comb essentially. Happy the servers and network were now protected from any further unwanted visitors.
Pretty interesting episode and quite scary how easy and quickly this kind of thing can happen so be warned. If you are not confident your systems are protected then get in touch with us - Colins IT Ltd
In the first instance you should not only have anti-virus on every single machine but ensure that it is running correctly, it has been configured to scan everything on the network, runs a full scan regularly, reports any suspicious files, is constantly updated.
Oh, and using free anti-virus... seriously.. you get what you pay for. If you can't afford to pay £30 odd a year to protect your vital data, credit card details, countless hours of work etc... something worth thinking about...