[GRLUG] htop issue
Grand Rapids Linux Users Group
grlug at grlug.org
Wed Jan 11 17:37:30 EST 2023
Figure out what user the script is running under.
Look at the home directory and see if there is an executable named `htop`
in there, because I wouldn't normally expect to see it there.
I'm quite confident someone uploaded a crypto miner and renamed it `htop`
as to disguise it.
Regarding the IP address 198.50.168.213, that IP resolves to the domain
name mine.zpool.ca which IS a crypto mining service.
More on that IP available here:
https://www.abuseipdb.com/check/198.50.168.213
On Wed, Jan 11, 2023 at 5:27 PM Grand Rapids Linux Users Group <
grlug at grlug.org> wrote:
> On Wed, 11 Jan 2023, Grand Rapids Linux Users Group wrote:
>
> > Looks like crypto mining scripts running on your machine.
> >
> Plausible, .. how would one locate them? Don't see anything weird in ps.
>
> TFTR!
> --
> grlug mailing list
> grlug at grlug.org
> https://shinobu.grlug.org/mailman/listinfo/grlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://shinobu.grlug.org/pipermail/grlug/attachments/20230111/0de9d6b7/attachment.htm>
More information about the grlug
mailing list