So today I received an abuse email from hetzner with logs of my server's IP scanning for port 22 on the 192.168.x.x IP range.
Problem, the only stuff that we changed is adding a Minecraft plugin and after decompiling it nothing looks out of place.
The suspicious activity also looks like it stopped during the night, but I now have no idea where it could come from.
I tried to look up packets with wireshark but didn't find anything of use.
Does anyone have an idea to fix this ?
So right now all of my services are down, all my webservers, Minecraft proxy and server.
Nothing is running right now until I find the cause.
Found the issue, a miner got launched on the server, currently looking at reversing all the stack.
And rn there is an irc server used to get hooks.
IRC server looks down, smh
Ok figured out everything.
I know the name of the botnet, the infos, how it works, have a backup of everything (syslogs and home directory of the miner).
I might go to the police with all of those infos, even though i don't think they can do much.
@huntears wut howd they get in
@lamp I will post about it later today, it's not that great and mostly my fault
I was thinking of catching every outgoing packets to port 22 and log the process responsible for it, but I don't know how to do it, don't know if it is possible, and don't know if this is a good idea.