While I was working on a server, and on the phone with the client. We both noticed commands being issued to the server and then the server reboots.
It was a funny situation because I asked the client if he was doing it, and he said “No, I thought it was you!”
After research it was determined that the Hacker/Bot came in through VNC on port 5900. I was unable to tell if it was a brute force hack or some other vulnerability but I did ask the client to either remove VNC or change the default port.
We were able to remove the hacked svchost.exe and replace it with the original but the client decided he would feel better if we format and reload the OS and secure it.
It should be noted that this was a new client and Global-TechForce had not done any IT adminstration on the server prior to this issue.