On 2021-03-02 12:50 p.m., Lew Wolfgang wrote:
On 3/2/21 9:33 AM, Marcus Meissner wrote:
On Tue, Mar 02, 2021 at 12:11:56PM -0500, James Knott wrote:
On 2021-03-02 11:53 a.m., Lew Wolfgang wrote:
I didn't see anything relevant. I even tried .dhcpd virus. Did you try to upload the file to virustotal.com? Marcus Meissner did. https://www.virustotal.com/gui/file/364c6b2dcd55840f9c121c4131024965ef44dd18...
It reports as some generic Bitcoin Miner malware.
Of course everyone knows that the infected host can never be fully trusted again, right?
Yep.
James: have you tried running rkhunter on the infected host? It can be loaded via YaST if necessary.
Done that.
Hopefully you have off-line backups. If I were you, after trying to determine how this happened, I'd slick the disk and reinstall everything from scratch.
I was already thinking about that. Any chance 15.3 will be available soon? btw, the shadow password file was changed at the same time as that .dhcpd file was created. Since there were only 3 login password in it and I know 2 of them still work, I assume the test account password was changed. I changed the password and set the account to not allow login. My next step is to remove the test user entirely.