fsebugoutzone.org:9999

       Post ALtWL1drOd6CGfgFQu by huntears@fosstodon.org
 (DIR) More posts by huntears@fosstodon.org
 (DIR) Post #ALtWKzX3EySpiyTmXg by huntears@fosstodon.org
       2022-07-25T06:26:22Z
       
       0 likes, 0 repeats
       
       So today I received an abuse email from hetzner with logs of my server&#39;s IP scanning for port 22 on the 192.168.x.x IP range.Problem, the only stuff that we changed is adding a Minecraft plugin and after decompiling it nothing looks out of place.The suspicious activity also looks like it stopped during the night, but I now have no idea where it could come from.I tried to look up packets with wireshark but didn&#39;t find anything of use.Does anyone have an idea to fix this ?
       
 (DIR) Post #ALtWL0GQWGlBzhi1Gi by huntears@fosstodon.org
       2022-07-25T06:27:19Z
       
       0 likes, 0 repeats
       
       I was thinking of catching every outgoing packets to port 22 and log the process responsible for it, but I don&#39;t know how to do it, don&#39;t know if it is possible, and don&#39;t know if this is a good idea.
       
 (DIR) Post #ALtWL0lceHiJYSIvtQ by huntears@fosstodon.org
       2022-07-25T06:29:17Z
       
       0 likes, 0 repeats
       
       So right now all of my services are down, all my webservers, Minecraft proxy and server.Nothing is running right now until I find the cause.
       
 (DIR) Post #ALtWL1BV64PiqiPbEG by huntears@fosstodon.org
       2022-07-25T08:14:59Z
       
       0 likes, 0 repeats
       
       Found the issue, a miner got launched on the server, currently looking at reversing all the stack.And rn there is an irc server used to get hooks.
       
 (DIR) Post #ALtWL1drOd6CGfgFQu by huntears@fosstodon.org
       2022-07-25T08:20:53Z
       
       0 likes, 0 repeats
       
       IRC server looks down, smh
       
 (DIR) Post #ALtWL28hXxljoK6sVM by huntears@fosstodon.org
       2022-07-25T08:54:37Z
       
       0 likes, 0 repeats
       
       Ok figured out everything.I know the name of the botnet, the infos, how it works, have a backup of everything (syslogs and home directory of the miner).I might go to the police with all of those infos, even though i don&#39;t think they can do much.
       
 (DIR) Post #ALtWL2cTlFaXIg2ev2 by lamp@mastodong.lol
       2022-07-26T20:28:18Z
       
       0 likes, 0 repeats
       
       @huntears wut howd they get in
       
 (DIR) Post #ALww2bUOIc9fsY2lsW by huntears@fosstodon.org
       2022-07-28T12:00:25Z
       
       0 likes, 0 repeats
       
       @lamp I will post about it later today, it&#39;s not that great and mostly my fault