Subj : Ubuntu, Crypto Malware
To : Android8675
From : Digital Man
Date : Tue Nov 15 2022 11:51 am
Re: Ubuntu, Crypto Malware
By: Android8675 to All on Tue Nov 15 2022 07:51 am
> Hey all, anyone have any experience with crypto infected Linux systems? My
> box that I use has mxrig running, and I've no idea how it got there, where
> it's hiding, or how to get it off my system. Speculating that it could be
> some rootkit bologna, and there's vague suggestions on the googles as to how
> to get it off my system without "nuking it from orbit".
>
> So, before I do that I thought I might see if there's anyone who's had
> experience with this sort of thing who might be willing to take a peek? Drop
> me a note at andyob [at] gmail.com if you've had some experience. I got the
> thing backed up, so I'm ok with letting you pop-on and see if you can work
> some magic.
I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixed GitLab version. During that 24 hours, a crypto miner (I forget the name) was installed and it was pretty obvious from the impact on CPU utilization. I found and killed the process manually and deleted the maliciously-installed files (in the /tmp dir, iirc). Tools like ps, top, netstat should help you find the culperate process(es) and get rid of them, but it is important that you find and remove (or update/patch) the software with the original vulnerability that was used to install the crypto miner in the first place.
--
digital man (rob)
Rush quote #57:
He picks up scraps of information, he's adept at adaptation .. Digital Man
Norco, CA WX: 68.5�F, 21.0% humidity, 0 mph NE wind, 0.00 inches rain/24hrs
---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net
