Re: Linux machine hit by ransomware

[David Christensen <dpchrist@holgerdanske.com>]

On 7/9/25 10:39, Rick Macdonald wrote:
> I had a question that I forgot to add to my initial long post. This was 
> since "top" didn't show any great CPU usage, could the encryption have 
> been performed on another machine (Windows or one of my 3 Android Kodi 
> boxes)? A number of you suggested exactly this.
>
> I checked, and sure enough, smb.conf had world-writeable permissions. 
> I've seen where some Kodi web pages suggest this. I've had it this way 
> for many years, but now I have made it read-only.
>
> So far, I booted up the Windows machine. I don't see any sign of an 
> attack on it. This is my mother's PC. She passed away at age 100 a year 
> ago. The PC is on and connected to the network, but I don't do much on it.
>
> I also booted up 1 of my 3 Android Kodi boxes. No new attacks on my 
> Linux server. I'll look at the other 2 next.
>
> The only Kodi addon I remember updating recently is opentitles, which 
> seems to have switched from opentitles.org to opentitles.com.


If you want to identify the source of the attack, one idea is to put the 
server on an isolated network segment, restore it to the configuration 
it had when the attacks occurred, and wait to see if the attacks resume. 
 If so, find the source.  If not, add a suspect computer to the 
isolated network segment and repeat.


If you want to remove malware from the Windows computer, run Windows 
Update, run a Windows Defender full scan, and run a Windows Defender 
offline scan.


David