Hey all, anyone have any experience with crypto infected Linux systems? My box that I use has mxrig running, and I've no idea how it got there, where it's hiding, or how to get it off my system. Speculating that it could be some rootkit bologna, and there's vague suggestions on the googles as to how to get it off my system without "nuking it from orbit".
So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek? Drop me a note at andyob [at] gmail.com if you've had some experience. I got the thing backed up, so I'm ok with letting you pop-on and see if you can work some magic.
Hey all, anyone have any experience with crypto infected Linux systems? My box that I use has mxrig running, and I've no idea how it got there, where it's hiding, or how to get it off my system. Speculating that it could be some rootkit bologna, and there's vague suggestions on the googles as to how to get it off my system without "nuking it from orbit".
So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek? Drop me a note at andyob [at] gmail.com if you've had some experience. I got the thing backed up, so I'm ok with letting you pop-on and see if you can work some magic.
if you have it backed up, and your backups are clean, just 'nuke it from orbit'.
why do you want to waste time going on a search for it?
if your files are encrypted you aren't getting them back and you might lose more anyways.
I'd personally just restore from the lattest known clean backup if any, and do what somebody else has recommended: apply security updates and try to ensure they don't break in the same way again.
Using Unix utilities from within a compromised system is not a great idea. Rootkits may make evil software undetectable. If you ust scan an infected system, it is usually better to just image it and scan the image from a known good system instead.
if you have it backed up, and your backups are clean, just 'nuke it from orbit'.
why do you want to waste time going on a search for it?
if your files are encrypted you aren't getting them back and you might lose more anyways.
Re: Ubuntu, Crypto Malware
By: Android8675 to All on Tue Nov 15 2022 07:51 am
Hey all, anyone have any experience with crypto infected Linux systems?
So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek?
I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixe
Re: Ubuntu, Crypto Malware
By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am
Re: Ubuntu, Crypto Malware
By: Android8675 to All on Tue Nov 15 2022 07:51 am
Hey all, anyone have any experience with crypto infected Linux systems?
So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek?
I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixe
Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?
/var/log folder getting kindda rhobust too)
So I could not for the life of me figure out where the exploit was on my system until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes.
I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so
I might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).
At any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.
Re: Ubuntu, Crypto Malware
By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am
Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?
https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up
/var/log folder getting kindda rhobust too)
Most apps that log there should have configurable log rotation policies.
So I could not for the life of me figure out where the exploit was on my system until I watched the process
'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your
system, then you start grepping for what restarts that process upon boot (if it is).
you really should reinstall. they didnt exploit radius.
and it's good practice and keeps you on your toes to learn a way
to tear it down and put it up again after working out a system.
i wouldn't trust running an exploited system.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 368 |
Nodes: | 16 (2 / 14) |
Uptime: | 87:40:00 |
Calls: | 7,895 |
Calls today: | 1 |
Files: | 12,968 |
Messages: | 5,792,158 |