So today I received an abuse email from hetzner with logs of my server's IP scanning for port 22 on the 192.168.x.x IP range.
Problem, the only stuff that we changed is adding a Minecraft plugin and after decompiling it nothing looks out of place.
The suspicious activity also looks like it stopped during the night, but I now have no idea where it could come from.
I tried to look up packets with wireshark but didn't find anything of use.
Does anyone have an idea to fix this ?

I was thinking of catching every outgoing packets to port 22 and log the process responsible for it, but I don't know how to do it, don't know if it is possible, and don't know if this is a good idea.

So right now all of my services are down, all my webservers, Minecraft proxy and server.
Nothing is running right now until I find the cause.

Found the issue, a miner got launched on the server, currently looking at reversing all the stack.
And rn there is an irc server used to get hooks.

Follow

Ok figured out everything.
I know the name of the botnet, the infos, how it works, have a backup of everything (syslogs and home directory of the miner).
I might go to the police with all of those infos, even though i don't think they can do much.

@lamp I will post about it later today, it's not that great and mostly my fault

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.