I apologize for the length of this question.

After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11 days
ago. I have backups, so nothing important has been lost at this point.
However, I can't figure out how it got in, how it works, if there are executables on my computer that need to be cleaned, etc. I believe I
have been able to stop the attack, by simply fixing permissions on
directories and files. However, that obviously doesn't remove or block
the attack from my machine.

When I search for this malware on the web, I find Windows-specific
discussions. If I'm unable to learn what to do from the folks here,
suggestions about where to go for information and help would be most
welcome.

Here's what I have observed and done, which might have some clues:

- I first noticed it because of the rattling of the hard drive and the
hard drive activity light on solid.
- Looking at iotop and top, I expected to see some process pegging the
CPU and the disk I/O, but nothing seemed to stand out. I may have seen a Chromium thread doing a lot of I/O, but not for long.
- I unplugged the network ethernet cable and it stopped. Later that day,
I reconnected it and it started up again, but it seemed like it wasn't
until an hour or three later. Then I unplugged it again.
- At first I thought it was related to my media servers, Plex and Kodi,
because the only files that I found to be encrypted were videos, audio
files, and image files. Then I found 1 encrypted file that was
different: my procmail rules file. This lead me to notice that all of
the encrypted files had "other" write permissions (666, 777). These were
pretty much all old files from various sources. For example, photos from
up to 20 years ago from other people's cameras, etc.
- Because I suspected Kodi, I powered off the 3 android boxes I have in
the house that run Kodi to access my server (using MariaDB and smb). I
haven't yet turned on any of these boxes again.
- The attack left a text file in every directory where it encrypted
files, with the name "5a067ee9_3a53aaff_1aedfa64___READ_THIS___5a067ee9_3a53aaff_1aedfa64.txt",
with owner/group "nobody/nogroup". I've quoted the ransom file text below.
- No files outside of my home directory have been touched. I believe
that only files writable by "other" were encrypted. After encryption,
the files have a timestamp of the time of encryption, and are still
owned by me. The encrypted files have names like "0H1JsqXEw5.fse_5a067ee9_3a53aaff_1aedfa64", where the characters after
the dot (the extension, so to speak) are always the same.
- I have found and changed the permissions of every file and directory
(except for /tmp) writable by "other". When I connect the ethernet
network cable now, there seems to be no further encrypting by the
malware. I check this by the lack of disk activity, and using the find
command to search for files newer than the time I last connected to the network, I run "updatedb" and "locate" for filenames containing
"READ_THIS" and "fse_". I disconnect the network overnight though, just
in case.
- I eventually realized that some files that appeared to be encrypted
had not been renamed. I don't know what to think about this, other than
maybe the malware program doesn't rename file until a directory is
completed, and I disconnected the network cable while it appeared to be
active.
- During all this, there was a power outage. After that, one Windows PC
that belonged to my mother has not been powered back on. I think I've
read this such malware can jump from Windows to Linux.

Some thoughts:

I read that files created by NFS or smb can be owned by nobody/nogroup.
The 2 running process owned by nobody are /usr/bin/memcached and /usr/sbin/smbd. The remote kodi boxes access the server files using smb.

I don't know what it means that only files owned by me have been hit,
but only files with 777/666 permissions. Given that the new files are
created by nobody, it seems like they aren't able to actually log into
my account?

The ransomeware notification file:

ATTENTION!

All your files documents, photos, databases and other important files
are encrypted by FuxSocy encryptor.
The only method of recovering files is to purchase a private key. It is
on our server and only we can recover your files.

  1. Visit https://tox.chat/download.html
  2. Download and install qTOX on your PC.
  3. Open it, click "New Profile" and create profile.
  4. Click "Add friends" button and search our contact - AD049F565435C774D2A7D0A96FC2CC2E4AB5D6B860AEB52F2B1F6A01BB2682104F1361981FDE

The alternative way to contact as is to use Jabber:
  1. Visit https://psi-im.org/download/
  2. Download and install Psi on your PC.
  3. Register new account on https://thesecure.biz:5281/register/new
  4. Add new account in Psi.
  5. Add our contact - king_size_banana@thesecure.biz

If you have problems to contact us via TOX and JABBER - send message to
our email address KingSizeBanana@cock.li or king_size_banana@tutanota.com
This communication method is VERY UNRELIABLE, use it only as a last
resort. If you have not received an answer within 12 hours - try again
or write to TOX or JABBER.

In message please write your ID and wait our answer:
5a067ee9_3a53aaff_1aedfa64

Please note, this is time limited offer. You have about 7 days to
contact us - after Jul 03 your private key will be deleted automatically
and there will be no ways to get your files back. DO NOT try to recover
your files by yourself, it may damage your data.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun 06 Jul 2025 at 22:55:22 (-0400), Rick Macdonald wrote:

After running Debian for nearly 30 years (and other distros prior to that), my Linux server has been hit by a ransomware attack about 11 days ago.
I have backups, so nothing important has been lost at this point.

That's the most important thing.

However, I can't figure out how it got in, how it works, if there are executables on my computer that need to be cleaned, etc.

You should consider the entire system compromised beyond repair. Nuke and
pave -- do a complete reinstall from scratch, restore from a known good
backup, and re-enable services one at a time.

Do you use a separate server for your logfiles? Unfortunately the ones
you currently have are no longer trustworthy, so when you restore your box,
I'd recommend setting up a separate logserver that accepts two things:

* forwarded logs from your other boxes, and
* a local-only SSH or console login so you can see the logs.

I don't know the attack method, but I'd suspect smb first. That's why
good logs are essential.

--
Karl Vogel I don't speak for anyone but myself

Running on coffee and spite, supplies getting low.
--Project status seen on Reddit, 2 Jul 2025

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 06, 2025 at 08:47:22PM -0600, Rick Macdonald wrote:

After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11
days ago.

Another machine running firewall sofware is cheap (in terms of
electricity, noise, physical space) insurance. I would suggest
IPFire. RLH

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Karl Vogel composed on 2025-07-06 23:28 (UTC-0400):

I don't know the attack method, but I'd suspect smb first

I stopped running samba a year or more ago. If I have something to get onto Windows, or something to get off of it, I boot Linux. That need is rare. It was probably last year when I last had any reason to boot Windows. When I do, I usually do with with the ethernet cable disconnected. With Win10 expiring, I'll have even less reason to boot Windows. :)
--
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 07, 2025 at 04:02:26AM +0000, Russell L. Harris wrote:

On Sun, Jul 06, 2025 at 08:47:22PM -0600, Rick Macdonald wrote:

After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11 days ago.

Another machine running firewall sofware is cheap [...]

OK...

insurance.

no.

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCaGtL7wAKCRAFyCz1etHa Rs1nAJ0Zaid8wIdN0QaQbd7Nia0HA6CgUgCcCktX7a0zt2vZ/AL8MfrHShjDks4=
=Le5B
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Rick Macdonald <rickmacd@shaw.ca> writes:

I apologize for the length of this question.

After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11
days ago. I have backups, so nothing important has been lost at this
point. However, I can't figure out how it got in, how it works, if

Maybe I oversight something, but can be the case that your home dir was
exposed by samba to other windows machine and ransomware is run on that
windws machine?
KJ

--
http://wolnelektury.pl/wesprzyj/teraz/
First law of debate:
Never argue with a fool. People might not know the difference.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/7/25 05:28, Karl Vogel wrote:

On Sun 06 Jul 2025 at 22:55:22 (-0400), Rick Macdonald wrote:

After running Debian for nearly 30 years (and other distros prior to that), >> my Linux server has been hit by a ransomware attack about 11 days ago.
I have backups, so nothing important has been lost at this point.

That's the most important thing.

However, I can't figure out how it got in, how it works, if there are
executables on my computer that need to be cleaned, etc.

You should consider the entire system compromised beyond repair. Nuke and
pave -- do a complete reinstall from scratch, restore from a known good
backup, and re-enable services one at a time.

The main point is to find out which system was hit.
According to the description it looks like the Linux server itself
wasn't hit, but a different system that can access files on the server
via network...

Detlef

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/6/25 19:47, Rick Macdonald wrote:

I apologize for the length of this question.

After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11 days
ago.

I would power off all computers on your network. Only boot them when
they are known good (e.g. re-imaged or OS reinstall).


Change passwords and generate new user SSH keys (with passwords) on all
local hosts.


Get or make uninfected bootable media that you can use to boot
computers, install, and/or reinstall as needed.


Document your work thoroughly. Use the console and script(1) whenever possible. Use a version control system for any and all files you touch.

I have backups, so nothing important has been lost at this point.

Do you have a multiple backups? If not, get more disks and do so.


Consider archiving your last good backup to write-once optical media
(e.g. CD-R, DVD-R, BD-R, DL, XL, etc.).


You are going to need backups while you recover.

However, I can't figure out how it got in, how it works, if there are executables on my computer that need to be cleaned, etc. I believe I
have been able to stop the attack, by simply fixing permissions on directories and files.
However, that obviously doesn't remove or block
the attack from my machine.
When I search for this malware on the web, I find Windows-specific discussions. If I'm unable to learn what to do from the folks here, suggestions about where to go for information and help would be most
welcome.

Here's what I have observed and done, which might have some clues:

- I first noticed it because of the rattling of the hard drive and the
hard drive activity light on solid.
- Looking at iotop and top, I expected to see some process pegging the
CPU and the disk I/O, but nothing seemed to stand out. I may have seen a Chromium thread doing a lot of I/O, but not for long.
- I unplugged the network ethernet cable and it stopped. Later that day,
I reconnected it and it started up again, but it seemed like it wasn't
until an hour or three later. Then I unplugged it again.
- At first I thought it was related to my media servers, Plex and Kodi, because the only files that I found to be encrypted were videos, audio
files, and image files. Then I found 1 encrypted file that was
different: my procmail rules file. This lead me to notice that all of
the encrypted files had "other" write permissions (666, 777). These were pretty much all old files from various sources. For example, photos from
up to 20 years ago from other people's cameras, etc.
- Because I suspected Kodi, I powered off the 3 android boxes I have in
the house that run Kodi to access my server (using MariaDB and smb). I haven't yet turned on any of these boxes again.
- The attack left a text file in every directory where it encrypted
files, with the name "5a067ee9_3a53aaff_1aedfa64___READ_THIS___5a067ee9_3a53aaff_1aedfa64.txt", with owner/group "nobody/nogroup". I've quoted the ransom file text below.
- No files outside of my home directory have been touched. I believe
that only files writable by "other" were encrypted. After encryption,
the files have a timestamp of the time of encryption, and are still
owned by me. The encrypted files have names like "0H1JsqXEw5.fse_5a067ee9_3a53aaff_1aedfa64", where the characters after
the dot (the extension, so to speak) are always the same.
- I have found and changed the permissions of every file and directory (except for /tmp) writable by "other". When I connect the ethernet
network cable now, there seems to be no further encrypting by the
malware. I check this by the lack of disk activity, and using the find command to search for files newer than the time I last connected to the network, I run "updatedb" and "locate" for filenames containing
"READ_THIS" and "fse_". I disconnect the network overnight though, just
in case.
- I eventually realized that some files that appeared to be encrypted
had not been renamed. I don't know what to think about this, other than
maybe the malware program doesn't rename file until a directory is
completed, and I disconnected the network cable while it appeared to be active.
- During all this, there was a power outage. After that, one Windows PC
that belonged to my mother has not been powered back on. I think I've
read this such malware can jump from Windows to Linux.

Some thoughts:

I read that files created by NFS or smb can be owned by nobody/nogroup.
The 2 running process owned by nobody are /usr/bin/memcached and /usr/ sbin/smbd. The remote kodi boxes access the server files using smb.

I don't know what it means that only files owned by me have been hit,
but only files with 777/666 permissions. Given that the new files are
created by nobody, it seems like they aren't able to actually log into
my account?

The ransomeware notification file:

***REDACTED***


Print the ransomware file, take it to the police, file a complaint, and
get a police report number.


Making changes to the infected disks will make it harder to figure out
what happened. It is best to remove the infected disks, clone them to
working disks, and investigate the clones. And, you may want a third
set of disks when it is time to rebuild the server.


Have you configured your Internet gateway (firewall pinholes, port
forwarding) to allow WAN incoming packets and to forward the packets to
the server or some other internal host?


Please boot live media in the server, open a root terminal, mount the
server file systems under /mnt/server/, run the following commands (I
have assumed your username is "rick"; please substitute the correct
name), and copy/paste the console session into your reply. Document any changes that you have made since the attack:

# egrep '^/dev' /mnt/server/etc/fstab

# grep nobody /mnt/server//etc/passwd

# grep rick /mnt/server//etc/passwd

# grep nogroup /mnt/server/etc/group

# grep sudo /mnt/server/etc/group

# grep rick /mnt/server/etc/group

# egrep '^#?PasswordAuthentication' /mnt/server/etc/ssh/sshd_config

# find /mnt/server/ -name '*___READ_THIS___*' -print0 2>/dev/null |
xargs -r -0 ls -l

# find /mnt/server/ -name '*___READ_THIS___*' -print0 2>/dev/null |
xargs -r -0 dirname -z | xargs -r -0 ls -ld


Please provide `ls -l` listings for some example malware encrypted files
and for the directories that contain them. Document changes.


David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 07, 2025 at 09:44:11PM +0200, Detlef Vollmann wrote:

[...]

The main point is to find out which system was hit.
According to the description it looks like the Linux server itself
wasn't hit, but a different system that can access files on the server
via network...

Yes. The guess put forward elsewhere in this thread that it was perhaps
a Windows client over Samba is pretty compelling. Especially the observation that only world-writable files were hit is a finger pointing in this
direction.

Cheers
--
tomás

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCaGymSwAKCRAFyCz1etHa Ruj7AJ9hiMQF3g5SR/1vAj81AcimBOBfrQCfTXx1+4iSajcWPgLuNCq+80r4W7Q=
=6sRH
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/6/25 19:47, Rick Macdonald wrote:

After running Debian for nearly 30 years (and other distros prior to
that), my Linux server has been hit by a ransomware attack about 11
days ago.

On 7/7/25 17:18, David Christensen wrote:

Please boot live media in the server, open a root terminal, mount the
server file systems under /mnt/server/, run the following commands (I
have assumed your username is "rick"; please substitute the correct
name), and copy/paste the console session into your reply.  Document any changes that you have made since the attack:

To investigate the Samba theory:

# testparm


David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 8 Jul 2025 07:02:09 +0200
<tomas@tuxteam.de> wrote:

On Mon, Jul 07, 2025 at 09:44:11PM +0200, Detlef Vollmann wrote:

[...]

The main point is to find out which system was hit.
According to the description it looks like the Linux server itself
wasn't hit, but a different system that can access files on the
server via network...

Yes. The guess put forward elsewhere in this thread that it was
perhaps a Windows client over Samba is pretty compelling. Especially
the observation that only world-writable files were hit is a finger
pointing in this direction.

Presumably if there was 8-year-old Linux ransomware, we would know about
it already. I think it is fairly certain it was a Windows machine that
was compromised.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 07, 2025 at 07:17:36AM +0200, john doe wrote:

In this case, a perimeter firewall will not help.

You likely got compromised by downloading something from the internet
or via e-mail.

That is unlikely if the generated files were owned by nobody rather than
the user.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Wed, Jul 09, 2025 at 07:17:25AM -0400, Michael Stone wrote:

On Mon, Jul 07, 2025 at 07:17:36AM +0200, john doe wrote:

In this case, a perimeter firewall will not help.

You likely got compromised by downloading something from the internet or via e-mail.

That is unlikely if the generated files were owned by nobody rather than the user.

Indeed. Though, I would say that as it's looking very likely that this
happened on one of the devices that has things mounted by SMB, such as
one of the Windows computers or the Kodi device, this is probably going
to be some Windows software or a plugin for Kodi. As such, that's also
not going to be caught by any kind of firewall.

Having backups is certainly a lifesaver but I think it would be worth
OP's time do an audit of what exactly is shared and if it really needs
to be writable. This kind of encryption ransomware is really common on
Windows. It just goes through every mounted drive looking for what it
can encrypt, so it doesn't care that the drive is local or over SMB (or
what OS the Samba server is), just that it can write.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-07-07 23:02, tomas@tuxteam.de wrote:

On Mon, Jul 07, 2025 at 09:44:11PM +0200, Detlef Vollmann wrote:

[...]

The main point is to find out which system was hit.
According to the description it looks like the Linux server itself
wasn't hit, but a different system that can access files on the server
via network...

Yes. The guess put forward elsewhere in this thread that it was perhaps
a Windows client over Samba is pretty compelling. Especially the observation that only world-writable files were hit is a finger pointing in this direction.

I had a question that I forgot to add to my initial long post. This was
since "top" didn't show any great CPU usage, could the encryption have
been performed on another machine (Windows or one of my 3 Android Kodi
boxes)? A number of you suggested exactly this.

I checked, and sure enough, smb.conf had world-writeable permissions.
I've seen where some Kodi web pages suggest this. I've had it this way
for many years, but now I have made it read-only.

So far, I booted up the Windows machine. I don't see any sign of an
attack on it. This is my mother's PC. She passed away at age 100 a year
ago. The PC is on and connected to the network, but I don't do much on it.

I also booted up 1 of my 3 Android Kodi boxes. No new attacks on my
Linux server. I'll look at the other 2 next.

The only Kodi addon I remember updating recently is opentitles, which
seems to have switched from opentitles.org to opentitles.com.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------6yWMTZnDm2j7kOlQvNSBp0zu
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

T24gNy85LzI1IDE6MzkgUE0sIFJpY2sgTWFjZG9uYWxkIHdyb3RlOg0KPiAuLi4NCj4gSSBj aGVja2VkLCBhbmQgc3VyZSBlbm91Z2gsIHNtYi5jb25mIGhhZCB3b3JsZC13cml0ZWFibGUg cGVybWlzc2lvbnMuIA0KPiBJJ3ZlIHNlZW4gd2hlcmUgc29tZSBLb2RpIHdlYiBwYWdlcyBz dWdnZXN0IHRoaXMuIEkndmUgaGFkIGl0IHRoaXMgd2F5IA0KPiBmb3IgbWFueSB5ZWFycywg YnV0IG5vdyBJIGhhdmUgbWFkZSBpdCByZWFkLW9ubHkuDQoNCkluIHNhbWJhIGxvZ3MgeW91 IG1pZ2h0IGJlIGFibGUgdG8gc2VlIHdoaWNoIGhvc3RzIGRpZCB3aGF0IGFuZCB3aGVuIG9u IA0Kd2hpY2ggc2hhcmVzLg0KDQotLSANCsWgYXLFq25hcyBCdXJkdWxpcw0KRGFydG1vdXRo IE1hdGhlbWF0aWNzDQptYXRoLmRhcnRtb3V0aC5lZHUvfnNhcnVuYXMNCg0KwrcgaHR0cHM6 Ly91c2VwbGFpbnRleHQuZW1haWwgwrcNCg==

--------------6yWMTZnDm2j7kOlQvNSBp0zu--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEE5ODlqx+pLMu9Wq48Bw+NpurIYD0FAmhutE4FAwAAAAAACgkQBw+NpurIYD0X gwgAtcP4fwVZlF/MRbXqcR2+qlcwo0DKPzaYEImpRzxWyZjFhcDSQZrNylMoCxq7fGxAdmHE5kVe 1nk5ovrH2BUYTnBZi0uVGv6MBVJ6II/gkFv4ZrMeH4PS7pp9zaY/XnnC/72vhaBYGm7zVX0bo9m0 moIdAcu+mO8VYdT7rhgCglzW1Z6+Fi5ny74aqBIKB0yQptda4PZL2J0jqiwbbjUNa9951ei/2Ja6 q0NQ6+hHt/zAYeg6EUXcew9YyJ3B0L/Cwr2agG9E6Mudn1D96itKDLx3eK58uXgx7VC2LQZZEpbF f3rctP5HcwNm0xihsrF8U9fbfUN8/tj1wST2OARolA==
=MSZT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-07-09 12:26, Šarūnas Burdulis wrote:

On 7/9/25 1:39 PM, Rick Macdonald wrote:

...
I checked, and sure enough, smb.conf had world-writeable permissions.
I've seen where some Kodi web pages suggest this. I've had it this
way for many years, but now I have made it read-only.

In samba logs you might be able to see which hosts did what and when
on which shares.

I had looked at the logs previously, but nothing much there other than
START messages. I bumped the debuglevel to 2 just now, and see something strange, although I think it's OK.

I t seems something is opening every file in my Media share:

[2025/07/09 13:16:23.016560,  2] ../../source3/smbd/open.c:1678(open_file)
  nobody opened file Video/XXX.mkv read=No write=No (numopen=2)
[2025/07/09 13:16:23.016737,  2] ../../source3/smbd/close.c:830(close_normal_file)
  nobody closed file Video/XXX.mkv (numopen=0) NT_STATUS_OK

$ psall smb
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        1720  0.0  0.1  83616 22712 ?        Ss   10:18   0:00
/usr/sbin/smbd --foreground --no-process-group
root        1741  0.0  0.0  81540  9012 ?        S    10:18   0:00
/usr/sbin/smbd --foreground --no-process-group
root        1742  0.0  0.0  81556  5960 ?        S    10:18   0:00
/usr/sbin/smbd --foreground --no-process-group
nobody     37191  5.6  0.1 114132 21344 ?        S    13:02   1:01
/usr/sbin/smbd --foreground --no-process-group

I exited the Kodi instance running on my server, and it stopped.

[2025/07/09 13:23:29.193749,  2] ../../source3/smbd/smb2_service.c:933(close_cnum)
   (ipv4:X.X.X.X:X) closed connection to service MySharedStuff

I wonder if this was just Kodi going nuts refreshing thumbnails trying
to scrape metadata? The media files are all defined to kodi as
smb:/x.x.x.x. The thumbnails are in ~/.kodi, and there are many updated
today.

With the debug on, playing a video from kodi does get logged, so I can
watch it for awhile. Unfortunately, it doesn't log the IP of the machine.

Rick

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Wed, Jul 09, 2025 at 02:00:15PM -0600, Rick Macdonald wrote:

I t seems something is opening every file in my Media share:

The thing is that something like Kodi will be scanning through all the
files it has access to in order to update its media library, for
example, as an intended part of its operation.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/9/25 10:39, Rick Macdonald wrote:

I had a question that I forgot to add to my initial long post. This was
since "top" didn't show any great CPU usage, could the encryption have
been performed on another machine (Windows or one of my 3 Android Kodi boxes)? A number of you suggested exactly this.

I checked, and sure enough, smb.conf had world-writeable permissions.
I've seen where some Kodi web pages suggest this. I've had it this way
for many years, but now I have made it read-only.

So far, I booted up the Windows machine. I don't see any sign of an
attack on it. This is my mother's PC. She passed away at age 100 a year
ago. The PC is on and connected to the network, but I don't do much on it.

I also booted up 1 of my 3 Android Kodi boxes. No new attacks on my
Linux server. I'll look at the other 2 next.

The only Kodi addon I remember updating recently is opentitles, which
seems to have switched from opentitles.org to opentitles.com.

If you want to identify the source of the attack, one idea is to put the
server on an isolated network segment, restore it to the configuration
it had when the attacks occurred, and wait to see if the attacks resume.
If so, find the source. If not, add a suspect computer to the
isolated network segment and repeat.


If you want to remove malware from the Windows computer, run Windows
Update, run a Windows Defender full scan, and run a Windows Defender
offline scan.


David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-07-09 18:43, David Christensen wrote:

On 7/9/25 10:39, Rick Macdonald wrote:

I had a question that I forgot to add to my initial long post. This
was since "top" didn't show any great CPU usage, could the encryption
have been performed on another machine (Windows or one of my 3
Android Kodi boxes)? A number of you suggested exactly this.

If you want to identify the source of the attack, one idea is to put
the server on an isolated network segment, restore it to the
configuration it had when the attacks occurred, and wait to see if the attacks resume.  If so, find the source.  If not, add a suspect
computer to the isolated network segment and repeat.

In 30 years I've never seen an isolated network. May I ask how this
might be done?

If you want to remove malware from the Windows computer, run Windows
Update, run a Windows Defender full scan, and run a Windows Defender
offline scan.

Will do, thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/9/25 22:14, Rick Macdonald wrote:

On 2025-07-09 18:43, David Christensen wrote:

On 7/9/25 10:39, Rick Macdonald wrote:

I had a question that I forgot to add to my initial long post. This
was since "top" didn't show any great CPU usage, could the encryption
have been performed on another machine (Windows or one of my 3
Android Kodi boxes)? A number of you suggested exactly this.

If you want to identify the source of the attack, one idea is to put
the server on an isolated network segment, restore it to the
configuration it had when the attacks occurred, and wait to see if the
attacks resume.  If so, find the source.  If not, add a suspect
computer to the isolated network segment and repeat.

In 30 years I've never seen an isolated network. May I ask how this
might be done?

Assuming an Internet gateway with 4 LAN ports and Wi-Fi, and a server
with 1 LAN port, turn off everything except the gateway, connect the
server LAN port to a gateway a LAN port (via switches, if needed), and
boot the server. Add wired hosts by connecting their LAN port to a
gateway LAN port (via switches, if needed). Add Wi-Fi hosts by booting
them.

If you want to remove malware from the Windows computer, run Windows
Update, run a Windows Defender full scan, and run a Windows Defender
offline scan.

Will do, thanks.

YW.


David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jul 09, 2025 at 23:23:29 -0700, David Christensen wrote:

On 7/9/25 22:14, Rick Macdonald wrote:

In 30 years I've never seen an isolated network. May I ask how this
might be done?

Assuming an Internet gateway with 4 LAN ports and Wi-Fi, and a server with 1 LAN port, turn off everything except the gateway, connect the server LAN
port to a gateway a LAN port (via switches, if needed), and boot the server. Add wired hosts by connecting their LAN port to a gateway LAN port (via switches, if needed). Add Wi-Fi hosts by booting them.

An alternative example (with no Wi-Fi):

* One switch or hub. Connect to power.
* Two or more computers. Connect to the switch/hub, and to power.
* On each computer, set an appropriate address manually, so they can
talk to each other.

Use any non-routable IP addressing you like. 192.168.1.* is a common
choice.

As an even simpler example, if you only have *two* computers, you can
connect them directly to each other, without needing a switch/hub.
Back in the olden days (before gigabit ethernet adapters), you would
have needed a special crossover ethernet cable for this. Now, on modern devices, you should be able to use a regular ethernet cable.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Jul 2025 06:57:10 -0400
Greg Wooledge <greg@wooledge.org> wrote:

On Wed, Jul 09, 2025 at 23:23:29 -0700, David Christensen wrote:

On 7/9/25 22:14, Rick Macdonald wrote:

In 30 years I've never seen an isolated network. May I ask how
this might be done?

Assuming an Internet gateway with 4 LAN ports and Wi-Fi, and a
server with 1 LAN port, turn off everything except the gateway,
connect the server LAN port to a gateway a LAN port (via switches,
if needed), and boot the server. Add wired hosts by connecting
their LAN port to a gateway LAN port (via switches, if needed).
Add Wi-Fi hosts by booting them.

An alternative example (with no Wi-Fi):

* One switch or hub. Connect to power.
* Two or more computers. Connect to the switch/hub, and to power.
* On each computer, set an appropriate address manually, so they can
talk to each other.

Use any non-routable IP addressing you like. 192.168.1.* is a common
choice.

As an even simpler example, if you only have *two* computers, you can
connect them directly to each other, without needing a switch/hub.
Back in the olden days (before gigabit ethernet adapters), you would
have needed a special crossover ethernet cable for this. Now, on
modern devices, you should be able to use a regular ethernet cable.

That came with 100M Ethernet, so there will be extremely little kit
around needing a crossover.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

------BGSVE3DJF323JNLV9NRSW5093NNBRG
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable


On 2025-07-10 04:57, Greg Wooledge wrote:

On Wed, Jul 09, 2025 at 23:23:29 -0700, David Christensen wrote:

On 7/9/25 22:14, Rick Macdonald wrote:

In 30 years I've never seen an isolated network. May I ask how this
might be done?

Assuming an Internet gateway with 4 LAN ports and Wi-Fi, and a server with 1 >> LAN port, turn off everything except the gateway, connect the server LAN
port to a gateway a LAN port (via switches, if needed), and boot the server. >> Add wired hosts by connecting their LAN port to a gateway LAN port (via
switches, if needed). Add Wi-Fi hosts by booting them.

An alternative example (with no Wi-Fi):

* One switch or hub. Connect to power.
* Two or more computers. Connect to the switch/hub, and to power.
* On each computer, set an appropriate address manually, so they can
talk to each other.

Use any non-routable IP addressing you like. 192.168.1.* is a common
choice.

OK, this I can understand and do. I had actually typed up this as a "guess", but then erased it thinking it might need something more complicated.

As an even simpler example, if you only have *two* computers, you can
connect them directly to each other, without needing a switch/hub.
Back in the olden days (before gigabit ethernet adapters), you would
have needed a special crossover ethernet cable for this. Now, on modern devices, you should be able to use a regular ethernet cable.

I have an extra switch siting on the shelf, so I'm good.

Thanks to all for the continuing help.

Rick
------BGSVE3DJF323JNLV9NRSW5093NNBRG
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><body><div dir="auto"><br>On 2025-07-10 04:57, Greg Wooledge wrote:<br>&gt; On Wed, Jul 09, 2025 at 23:23:29 -0700, David Christensen wrote:<br>&gt;&gt; On 7/9/25 22:14, Rick Macdonald wrote:<br>&gt;&gt;&gt; In 30 years I've never
seen an isolated network. May I ask how this<br>&gt;&gt;&gt; might be done?<br>&gt;&gt; Assuming an Internet gateway with 4 LAN ports and Wi-Fi, and a server with 1<br>&gt;&gt; LAN port, turn off everything except the gateway, connect the server LAN<br>&
gt;&gt; port to a gateway a LAN port (via switches, if needed), and boot the server.<br>&gt;&gt; Add wired hosts by connecting their LAN port to a gateway LAN port (via<br>&gt;&gt; switches, if needed).  Add Wi-Fi hosts by booting them.<br>&gt; An
alternative example (with no Wi-Fi):<br>&gt; <br>&gt;    * One switch or hub.  Connect to power.<br>&gt;    * Two or more computers.  Connect to the switch/hub, and to power.<br>&gt;    * On each computer, set an appropriate address manually,
so they can<br>&gt;      talk to each other.<br>&gt; <br>&gt; Use any non-routable IP addressing you like.  192.168.1.* is a common<br>&gt; choice.<br><br>OK, this I can understand and do. I had actually typed up this as a "guess", but then erased
it thinking it might need something more complicated.<br><br>&gt; As an even simpler example, if you only have *two* computers, you can<br>&gt; connect them directly to each other, without needing a switch/hub.<br>&gt; Back in the olden days (before
gigabit ethernet adapters), you would<br>&gt; have needed a special crossover ethernet cable for this.  Now, on modern<br>&gt; devices, you should be able to use a regular ethernet cable.<br><br>I have an extra switch siting on the shelf, so I'm good.<

<br>Thanks to all for the continuing help.</div><div dir="auto"><br>Rick</div></body></html>

------BGSVE3DJF323JNLV9NRSW5093NNBRG--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/10/25 16:37, rickmacd@shaw.ca wrote:

On 2025-07-10 04:57, Greg Wooledge wrote:

On 7/9/25 22:14, Rick Macdonald wrote:

In 30 years I've never seen an isolated network. May I ask how this
might be done?

An alternative example (with no Wi-Fi):

* One switch or hub. Connect to power.
* Two or more computers. Connect to the switch/hub, and to power.
* On each computer, set an appropriate address manually, so they can
talk to each other.

Use any non-routable IP addressing you like. 192.168.1.* is a common
choice.

OK, this I can understand and do. I had actually typed up this as a "guess", but then erased it thinking it might need something more complicated.

As an even simpler example, if you only have *two* computers, you can
connect them directly to each other, without needing a switch/hub.
Back in the olden days (before gigabit ethernet adapters), you would
have needed a special crossover ethernet cable for this. Now, on modern
devices, you should be able to use a regular ethernet cable.

I have an extra switch siting on the shelf, so I'm good.

Thanks to all for the continuing help.

Rick

If you implement the static-IP network idea, you may want to add entries
to hosts(5) -- so that you can use names, rather than IP addresses, to
identify hosts.


David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)