I discovered last night some script kiddie has had access to one of my servers for the last six months

They seem to have only been using it to run poker apps and logging into PayPal (they had also turned off automatic Windows updates and created their own admin user, neither of which I had noticed).

Still, not good, I feel violated.

I've been trying to puzzle out how they broke in, I've just realised how.

The server is virtual and was based on an old Win2k3 VMWare image that I inherited from a colleague. The administrator password was very stupidly set to a dictionary word, we used the same admin password on all throw away images.

I never log into it as admin so I'd forgotten that. I'd never worried about the password as that server isn't exposed to the Internet except via port 80.

I changed its IP address some time ago, unfortunately I'd missed that the IP address had RDP and SSH ports open on the firewall

I had checked the open ports using ShieldsUp on grc.com, but hadn't noticed it was only probing a secondary IP address that isn't the one that had the two ports open. Doh.

I hope when you found this you immediately used their paypal login, changed the password, and drained their account...

pca

You're assuming it was their account

Yes my thoughts exactly.. I would probably be worried that someone is going to knock on your door and accuse you of credit card fraud or something like that. Ouch. Better make sure you have a lawyer on speed dial for a couple months.

Sort of offtopic, but it is also worth checking https://shouldichangemypassword.com/ to see if your email address and password is on one of the LulzSec lists.

If so - change it now!

Maybe I'm paranoid, but that seems a great way to harvest emails for spammery.

I thought exactly the same thing. Which is why I did not try it.

Yep - just depends if you trust the individual who set the site up.

I do

...and my spam filter misses only about 1 spam mail every couple of weeks, but your mileage may vary.