got hacked

I normally don't post this often, but I found that my main work machine has been hacked since two weeks now.

How?

I had a remote login user that I'd give out to others. It was a restricted shell "bash -r", so it couldn't traverse directories, but it definitely could upload/download resources to the internet and scan some directories.

What did it do?

I'm not too sure. I saw high usage of "kswapd" with all cores at 100% usage, and the user had copied over a ".configrc4" directory which contained a local rsync and tor binary. Tor was running quite hot, and rsync was transmitting a lot too.

No idea what exactly. I pulled the ethernet, purged the account and killed anything I didn't recognize. I wish I acted a bit more smart and actually checked what was happening. I think they were crypto mining? Not sure what would require 400% cpu and large rsync activity.

Aftermath

So once I'd calmed down, I took a look through the logs.

Proxy Information

Original URL: gemini://midnight.pub/posts/1254
Status Code: Success (20)
Meta: text/gemini
Capsule Response Time: 174.274697 milliseconds
Gemini-to-HTML Time: 0.685783 milliseconds

This content has been proxied by September (ba2dc).