Going this morning to a customer who had a set of systems compromised. It appears that a windows trojan did some keylogging, and someone logged in, as root, from the compromised machine.
Folks, stay safe. Don’t use passwords for ssh. Use keys.
And, bluntly, seriously reconsider running any windows machine anywhere near a server/HPC resource.
Our efforts to help fix their problem are going to cost this customer thousands of dollars and lots of our time. This isn’t what they want or anyone else needs.
If you must run windows, run it in a VM atop a heavily firewalled Linux/Mac machine. You can isolate the VM so that it can never see the outside world apart from very specific ports.
It looks like this customer let their bot infect other machines, and eventually take control over their server, compute nodes, and backup system.