Follow
fuchsiaaaaaaaaaaaaaaaaa
well fun morning, server from friends got epic haxored so i did forensics from my phone, in bed
and slightly more in-depth writeup, https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
the 'c' component is actually what alerted us, with abuse email sent from another provider 'hey pls stop bruteforcing our hosts'
the kswapd0 thing is pretty smart, as all the results for 'kswapd0 high cpu' (which you would be seeing) are non-malicious explanations like
https://askubuntu.com/questions/259739/kswapd0-is-taking-a-lot-of-cpu
same with .syslog I've seen it like that on someone else's machine hah
- ssh with password auth enabled
- ssh'd into minecraft user with apparently weak password
- deployed payload, consisting of an irc c&c, and a monero miner disguised as 'kswapd0'
by far not the only ones, for example http://blog.alvarezp.org/2020/06/18/my-laptop-was-broken-into/