fuchsiaaaaaaaaaaaaaaaaa
well fun morning, server from friends got epic haxored so i did forensics from my phone, in bed
Follow
- ssh with password auth enabled
- ssh'd into minecraft user with apparently weak password
- deployed payload, consisting of an irc c&c, and a monero miner disguised as 'kswapd0'
by far not the only ones, for example http://blog.alvarezp.org/2020/06/18/my-laptop-was-broken-into/
the kswapd0 thing is pretty smart, as all the results for 'kswapd0 high cpu' (which you would be seeing) are non-malicious explanations like
https://askubuntu.com/questions/259739/kswapd0-is-taking-a-lot-of-cpu
same with .syslog I've seen it like that on someone else's machine hah
and slightly more in-depth writeup, https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
the 'c' component is actually what alerted us, with abuse email sent from another provider 'hey pls stop bruteforcing our hosts'