I find out about hacked servers like this "hey Brett, can you tell me if you've seen dufus.exe running on an IIS server?", or "My log files dissappears and our site was defaced, do you think I was hacked?"
I'm being silly of course, but I did get a message from well respected MVP the other day about an IIS server that was running c:\winnt\system32\config\log\files\server.exe and a service called WinShell servicez. That will get your attention quick.
As it turns out, this computer had a bunch of illegal file names on it that belonged to movies placed on the computer by a hacker. The computer had been in their "lab" where it was not subject to the same security rules as other systems, but had been reprovisioned for other service when the problems were discovered. There was at least one hotfix that had not been applied (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) that was the means by which the server has hijacked.
Of course there a billion questions that arise, but the point of this post is this - there are usually some "zones" in an organization where the security rules are more relaxed than the rest of the organization. Systems, though, are at times more like a fluid that can move around in an organization. When that occurs, do you have special procedures in place to manage moving from an area of "relaxed" computer security to more rigid standards? Does this even happen in your organization?
-brett hill
