>> On Sun 06 Jul 2025 at 22:55:22 (-0400), Rick Macdonald wrote:
> After running Debian for nearly 30 years (and other distros prior to that),
> my Linux server has been hit by a ransomware attack about 11 days ago.
> I have backups, so nothing important has been lost at this point.
That's the most important thing.
> However, I can't figure out how it got in, how it works, if there are
> executables on my computer that need to be cleaned, etc.
You should consider the entire system compromised beyond repair. Nuke and
pave -- do a complete reinstall from scratch, restore from a known good
backup, and re-enable services one at a time.
Do you use a separate server for your logfiles? Unfortunately the ones
you currently have are no longer trustworthy, so when you restore your box,
I'd recommend setting up a separate logserver that accepts two things:
* forwarded logs from your other boxes, and
* a local-only SSH or console login so you can see the logs.
I don't know the attack method, but I'd suspect smb first. That's why
good logs are essential.
--
Karl Vogel I don't speak for anyone but myself
Running on coffee and spite, supplies getting low.
--Project status seen on Reddit, 2 Jul 2025
