I noticed that my crontab job wasn't running so I went looking and I saw my crontab had been overwritten by
* * */2 * * /home/media/.ttp/a/upd>/dev/null 2>&1
@reboot /home/media/.ttp/a/upd>/dev/null 2>&1
5 8 * * 0 /home/media/.ttp/b/sync>/dev/null 2>&1
@reboot /home/media/.ttp/b/sync>/dev/null 2>&1
5 1 * * * /tmp/.ssh/.rsync/c/aptitude>/dev/null 2>&1
These seem to be pointing to some crypto mining daemon stuff installed under my home directory. I removed the files and updated my crontab and rebooted, I don't see much evidence of them now (however they are likely to hide if present)
This server is on ubuntu 16.04, fully patched up.
Anyone seen this sort of thing before? Perhaps it came from a package like sonarr or radarr where someone managed to check in something malicious?
Bookmarks