On 2021-03-02 2:02 p.m., Carlos E. R. wrote:
Correlate that point in time with all logs. What were you doing at the time.
Having dinner.
To create /home/test the first time they need root access of some kind, so anything you do to disable that account is pointless.
It was already there, as I created it years ago.
Then you say that the thing would restart itself. I have read on google that it restarts every halfhour, so there will be some cronjob entry
It remained through a reboot. I haven't seen it since I killed it and cleared the execute bits. I still have to see how it started. I have also identified someone connecting with ssh at about the time it appeared on my system. I have created a firewall rule to block the entire 61.0.0.0 /8 network, as the attack came from 61.177.173.3, which is in China.