[GRLUG] htop issue

Grand Rapids Linux Users Group grlug at grlug.org
Wed Jan 11 17:51:53 EST 2023


For a quick fix, you can update your firewall to block all traffic to/from 198.50.168.213.
—Michael

> On Jan 11, 2023, at 5:37 PM, Grand Rapids Linux Users Group <grlug at grlug.org> wrote:
> 
> Figure out what user the script is running under.
> Look at the home directory and see if there is an executable named `htop` in there, because I wouldn't normally expect to see it there.
> I'm quite confident someone uploaded a crypto miner and renamed it `htop` as to disguise it.
> 
> Regarding the IP address 198.50.168.213, that IP resolves to the domain name mine.zpool.ca <http://mine.zpool.ca/> which IS a crypto mining service.
> More on that IP available here:
> https://www.abuseipdb.com/check/198.50.168.213 <https://www.abuseipdb.com/check/198.50.168.213>
> 
> 
> 
> On Wed, Jan 11, 2023 at 5:27 PM Grand Rapids Linux Users Group <grlug at grlug.org <mailto:grlug at grlug.org>> wrote:
> On Wed, 11 Jan 2023, Grand Rapids Linux Users Group wrote:
> 
> > Looks like crypto mining scripts running on your machine.
> >
> Plausible, .. how would one locate them? Don't see anything weird in ps.
> 
>         TFTR!
> -- 
> grlug mailing list
> grlug at grlug.org <mailto:grlug at grlug.org>
> https://shinobu.grlug.org/mailman/listinfo/grlug <https://shinobu.grlug.org/mailman/listinfo/grlug>
> -- 
> grlug mailing list
> grlug at grlug.org
> https://shinobu.grlug.org/mailman/listinfo/grlug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://shinobu.grlug.org/pipermail/grlug/attachments/20230111/fa861ead/attachment.htm>


More information about the grlug mailing list