Re: Linux machine hit by ransomware

[Karl Vogel <vogelke@pobox.com>]

>> On Sun 06 Jul 2025 at 22:55:22 (-0400), Rick Macdonald wrote:

> After running Debian for nearly 30 years (and other distros prior to that),
> my Linux server has been hit by a ransomware attack about 11 days ago.
> I have backups, so nothing important has been lost at this point.

  That's the most important thing.

> However, I can't figure out how it got in, how it works, if there are
> executables on my computer that need to be cleaned, etc.

  You should consider the entire system compromised beyond repair.  Nuke and
  pave -- do a complete reinstall from scratch, restore from a known good
  backup, and re-enable services one at a time.

  Do you use a separate server for your logfiles?  Unfortunately the ones
  you currently have are no longer trustworthy, so when you restore your box,
  I'd recommend setting up a separate logserver that accepts two things:

  * forwarded logs from your other boxes, and
  * a local-only SSH or console login so you can see the logs.

  I don't know the attack method, but I'd suspect smb first.  That's why
  good logs are essential.

-- 
Karl Vogel                      I don't speak for anyone but myself

Running on coffee and spite, supplies getting low.
                            --Project status seen on Reddit, 2 Jul 2025