I don't know if it is bad luck or what but I've had 2 servers get Phishing sites installed in the last week. The first one I do not have much control over so it wasn't up to date or even a well setup server so I'm leaving it out of the discusion for the most part.
The second server however I am very involved with and I thought I had it buttoned down very well. First a little background information. This server gets attacked more then any other server I have out there (I manage small business networks so I have a lot of single server networks out there) There are frequent failure adudits in the security log of people from remote IP addresses trying to login with generic names. But since most of the attempts are for usernames like bob, mike, administrator, etc... which do not fit the naming structure of the domain I never worried too much. Administrator account has been renamed long ago and accounts lockout after 3 attempts.
Now I get contacted that a phishing site has been deteched. I find that on March 28 at 9 PM Apache webserver was installed and the website was created. I do more digging and find a username Paul that should not be on the server and what do you know, he is an administrator. I find that Paul logged in shortly before the software was installed from an outside IP address (Bulgaria of course). I was curious and saw that his account was showing logged in at the moment but idle. So I changed his password and logged into the server with his account to find his open session still there with the documents open. I know how to remove the apache server, website, and his account but I want to know how he got in and how to stop it in the future. Any ideas or thoughts.