It was found by someone scanning the internet at large and publishing results. Someone else went through that data long, long after the fact and looked to see if they'd ever scanned her servers. Because of that background, the public was able to see the ports--they would not have appeared in the scans if they were non-public.

But that doesn't mean she actually had VNC or RPC software actually listening on those ports, or that the software that was listening (whatever it might be) was actually vulnerable. It might be more likely than not that it was vulnerable--I mean, that's why security people look for things like that to begin with--but false alarms aren't exactly uncommon, either and my customers have proven to me that there's no shortage of bizarre server configurations in the wild.