The company I work for runs a series of ecommerce stores on a VPS. It's a WAMP stack, 50gb storage.
We use an archaic piece of ecommerce software which operates almost entirely client-side. When an order is taken, it writes it to disk and then we schedule a task to download the orders once every 10 minutes.
A few days ago, we ran out of disk space, which caused orders to fail to be written. I quickly hopped on to delete some old logs from the mailserver and freed up a couple of GB pretty quickly, but I wondered how we could fill up 50gb will nothing much more than logs.
Turns out, we didn't. Hidden deep within the c:\System Volume Information directory, we have a stack of pirated videos, which seem to have appeared (looking at the timestamps) over the past three weeks. Porn, American Sports, Australian cooking shows. A very odd collection. Doesn't look like an individual's personal tastes - more like the VPS is being used as a mule.
We have a 5-attempts and you're blocked policy on our FTP server (plus, there is no FTP account with access to that directory), and the windows user account has had it's password changed recently. The main avenues are sealed - and logs can verify that. I thought I'd watch and see if it happened again, and yes, another cooking show has appeared this morning.
I am the only one to know of this problem at my company, and only one of two with access to the VPS (the other being my boss, but no - it's not him).
So how is this happening?
Is there a vulnerability in some of the software on the VPS?
Are the VPS owners peddling warez across our rented space? (can they do this?)
I don't want to delete the warez in case it is seen as a hostile action against this outside force, and they choose to retaliate.
What should I do? How do I troubleshoot this?
Has this happened to anyone else before?
