[PLUG] malware cont'd

jeff on 17 Jan 2019 21:10:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] malware cont'd

From: jeff <jeffv@op.net>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: [PLUG] malware cont'd
Date: Fri, 18 Jan 2019 00:10:39 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1

took me a while to make sure I was firewalled correctly (logs show itkeeps trying different ranges). They were all stopped at SYN. Back tofinding the source, I checked PROC/pid and found a bizarre assortment ofzero byte files, symlinks, and recursive dirs, not to mention a 29gmirror of my HOME dir. Could not find anything that called it intoexistence in these dirs. (Thanks, Michael)

pstree(?) showed the fake processes came directly from systemd - toplevel. Is there a way to tshoot from there? Can't find it in logs.

Tomorrow it's a new install and lighting a candle to the FlyingSpaghetti Monster to make sure my data is clean.


Tks.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: Re: [PLUG] Oracle... from the Reg
Next by Date: [PLUG] Random drops and throttling
Previous by thread: Re: [PLUG] Oracle... from the Reg
Next by thread: [PLUG] Random drops and throttling
Index(es):
- Date
- Thread