I just logged into my VPS and found that XMRIG is running. I also noticed that the moneroocean_miner.service has started up. I've done some basic security hardening, like setting up fail2ban, but it looks like my server may have been compromised, possibly through Jellyfin or Caddy? I'm seeking help analyzing how the hacker might have gained access. The login IP appears to be from Google LLC, which raises questions about whether it was a scripted attack. I've also seen some concerning PAM error messages related to pam_lastlog. Any insights on how to investigate this further?
2 Answers
It seems like someone gained access using the username 'intel', which suggests you might have an account with that name and a weak password. That’s a big red flag! You should change your passwords immediately and consider locking down your user accounts further.
Could there be an accidental exposure through Docker? I've seen many cases where VPS servers were hacked due to misconfigured containers, leading to miners being installed. If you have services running without updated security measures, that could have allowed the breach. Watch out for default credentials or exposed endpoints!
You're spot on! I had Jellyfin running in a Docker container and a Caddy file browser too, so it could be related to that. I thought it was secure, but I guess I need to re-evaluate my setup.