If you leave RDP with a simple password, it will be hacked in a few hours and a mining tool is installed.

The trigger was common in my daily life.

The review equipment did not work as expected, and when I contacted the manufacturer, there was an offer to investigate it remotely.

I didn't know when I had access, so I opened the port 3389 for the remote desktop and changed the administrator password to an easy -to -understand one, and sent an email saying "Come on, please" on Friday, July 5th. 10 am.

On that day, the survey was not conducted, and although he was worried that he was waiting until the dawn of the week, he lost the settings many times and left it alone.

And on Monday, July 8th, when the week is over.

When I had lunch and relaxed, the phone rang.

"It seems that a large amount of suspicious communication has been sent from your line."

I immediately noticed that I was "done" when I contacted ISP, but later.

Looking at Windows Server, it is locked with the Administrator account, and some sessions are running.

However, even if you want to log on, the password you set will be played and you will not be able to log on.

For the time being, pull out the LAN cable and think calmly.

The environment is only for testing separately from the work environment, and only two NASs and one Windows Server, which were required to verify the review, are connected.

So there is almost no harm.

That said, if there is a machine hijacked in front of you, you will be in a hurry."Oh! Eh? Yeah?", I stopped thinking for a while.

After a while, I remembered that one of the user accounts was added to Domain Admins, and I immediately log on with that account.

When I reset the changed Administrator password and switched my account, there was an unfamiliar folder and command prompt on the desktop ...

If you scroll the command prompt, "NEW JOB", "Speed", "Pool".supportxmr.COM: 80 "and other characters ...

Apparently, the mining tool was installed, and the CPU power was provided for the mining of cryptocurrencies.