This person used our service to carry DDoS. When it happened for the first time, we had suspended his server and informed him to terminate the 2nd user that is "Admin$". If this person didn't carry the attack then it means his server is compromised and someone else is doing it. If that is the case we gave him a chance to terminate the user and change the pass of his server to avoid this again. Now in this case no matter what, we never changes the files/folder/settings of the client server for security reasons. This server was owned him and to save it, it is his responsibility to take care of the case. The worst thing happened when he started to claim that our staff made that account and we are doing DDoS from his server.. Is he kidding us? I meant seriously?
Proofs :
2 Users : http://prnt.sc/di5ds5
Report from OVH : http://prnt.sc/di5e22
His server : http://prnt.sc/di5dvb
IP blocked by OVH : http://prnt.sc/di5ihn
It is clearly written in our TOS, that using our services for malicious purposes is prohibited and we will take actions. Despite of the fact we gave him a chance but he miss used it. He used the same server for DDoSing again.