Well said, Gareth. Yeah, my “regular Jo” list was for regular Jo’s. Sysadmins should be expected to be a lot smarter.
Awaiting a response from the managing company. I suggested that they hardware-firewall off EVERYTHING except the critical ports immediately and get started on moving the data off to a fresh server, move the IP address over to minimise downtime, and then reformat and reinstall the old server.
MS Terminal Server isn’t actually open to SmartData at all! But is to the world, and it a likely attack vector, yes. No website hosting from that machine, and I don’t believe there’s any direct connection to it from their web server; not sure what the HTTPS server is (only just discovered that; it’s some variety of HTTP Authentication protected service, perhaps a control panel of some sort): all we ever knew about the server was how to get in to MS SQL on it; the rest of it’s services we’re unaware of.
What boggles my mind is that we had to get our IP whitelisted on their firewall to get access to MS SQL (you’ll note that MS SQL doesn’t appear on the port scan, which I took from a different machine just to illustrate quite how “wide open” they are), so they’re running some kind of firewall… it’s just not blocking all of the important things!