[GRLUG] htop issue
Grand Rapids Linux Users Group
grlug at grlug.org
Wed Jan 11 17:37:30 EST 2023
Figure out what user the script is running under.
Look at the home directory and see if there is an executable named `htop`
in there, because I wouldn't normally expect to see it there.
I'm quite confident someone uploaded a crypto miner and renamed it `htop`
as to disguise it.
Regarding the IP address 126.96.36.199, that IP resolves to the domain
name mine.zpool.ca which IS a crypto mining service.
More on that IP available here:
On Wed, Jan 11, 2023 at 5:27 PM Grand Rapids Linux Users Group <
grlug at grlug.org> wrote:
> On Wed, 11 Jan 2023, Grand Rapids Linux Users Group wrote:
> > Looks like crypto mining scripts running on your machine.
> Plausible, .. how would one locate them? Don't see anything weird in ps.
> grlug mailing list
> grlug at grlug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the grlug