Subj : Ubuntu, Crypto Malware
To   : Digital Man
From : Android8675
Date : Wed Nov 30 2022 08:27 am

 Re: Ubuntu, Crypto Malware
 By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am

> Re: Ubuntu, Crypto Malware
> By: Android8675 to All on Tue Nov 15 2022 07:51 am

> > Hey all, anyone have any experience with crypto infected Linux systems?

> > So, before I do that I thought I might see if there's anyone who's had
> > experience with this sort of thing who might be willing to take a peek?

> I was running a version of GitLab (a year ago?) that had an exploit
> published and I was vulnerable for about 24 hours before upgrading to a fixe

Is there a simple way to clean out the /tmp folder in Linux, for us phlebs? /var/log folder getting kindda rhobust too)

So I could not for the life of me figure out where the exploit was on my system
until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes. So I watched it fire up and the process information mentioned port 1812 somewhere, and I looked up port 1812 which has something to do with RADIUS authentication?

So I blocked the port on the system and the malware hasn't started up since. I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so I'm OK just keeping that port blocked until I can figure out how/why it's happening.

I might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).

At any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.
--
[email protected] r g

... Do you know what kind of game this is?

---
� Synchronet � .:  realitycheckbbs.org  ::  scientia potentia est  :.

You are viewing proxied material from bbs.kd3.us. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.