On 2025-07-07 23:02, tomas@tuxteam.de wrote:
On Mon, Jul 07, 2025 at 09:44:11PM +0200, Detlef Vollmann wrote: [...]The main point is to find out which system was hit. According to the description it looks like the Linux server itself wasn't hit, but a different system that can access files on the server via network...Yes. The guess put forward elsewhere in this thread that it was perhaps a Windows client over Samba is pretty compelling. Especially the observation that only world-writable files were hit is a finger pointing in this direction.
I had a question that I forgot to add to my initial long post. This was since "top" didn't show any great CPU usage, could the encryption have been performed on another machine (Windows or one of my 3 Android Kodi boxes)? A number of you suggested exactly this.
I checked, and sure enough, smb.conf had world-writeable permissions. I've seen where some Kodi web pages suggest this. I've had it this way for many years, but now I have made it read-only.
So far, I booted up the Windows machine. I don't see any sign of an attack on it. This is my mother's PC. She passed away at age 100 a year ago. The PC is on and connected to the network, but I don't do much on it.
I also booted up 1 of my 3 Android Kodi boxes. No new attacks on my Linux server. I'll look at the other 2 next.
The only Kodi addon I remember updating recently is opentitles, which seems to have switched from opentitles.org to opentitles.com.