#JeRecrute CDI administrateur système/SRE, environnement PCI-DSS, python/mysql, linux/bsd
Ok figured out everything.
I know the name of the botnet, the infos, how it works, have a backup of everything (syslogs and home directory of the miner).
I might go to the police with all of those infos, even though i don't think they can do much.
IRC server looks down, smh
Found the issue, a miner got launched on the server, currently looking at reversing all the stack.
And rn there is an irc server used to get hooks.
So right now all of my services are down, all my webservers, Minecraft proxy and server.
Nothing is running right now until I find the cause.
I was thinking of catching every outgoing packets to port 22 and log the process responsible for it, but I don't know how to do it, don't know if it is possible, and don't know if this is a good idea.
So today I received an abuse email from hetzner with logs of my server's IP scanning for port 22 on the 192.168.x.x IP range.
Problem, the only stuff that we changed is adding a Minecraft plugin and after decompiling it nothing looks out of place.
The suspicious activity also looks like it stopped during the night, but I now have no idea where it could come from.
I tried to look up packets with wireshark but didn't find anything of use.
Does anyone have an idea to fix this ?
Everything that @rudolf said is true, but there are a bunch of caveats that I think need to be mentioned.
First, dd itself. Feel free to search for this, but dd is basically unnecessary for this operation, you can do cat > /dev/sdX and that will work just as well- and usually much faster. The only reason for DD is essentially historical.
But that's not really important, what's important is that disks aren't really disks anymore...
SourceHut and Drew Devault are doing a great job for free and open source software and this post is only a small example of their work:
Dear Linux desktop apps, you have full authorization to create a folder in my ~/.config directory, you are even invited to stuff your data in my ~/.local/share directory, and let's not forget about that ~/.cache y'all! Wunderbar! Much freedom!
So, now, please repeat after me:
👏 I 👏 SHALL 👏 NOT 👏 MAKE 👏 A 👏 FOLDER 👏 IN 👏 YOUR 👏 HOME 👏 DIRECTORY 👏
Thank you kindly
Everyday I wake up, there is a #nodejs supply chain attack. 🤦♂️
[ #webdev ]
19 | Python/C/Haskell
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.