blog_data/data/blog/posts/2023-03-14_i-have-been-hit-by-malware.rst

23 lines
1.7 KiB
ReStructuredText
Raw Permalink Normal View History

2023-10-15 03:45:03 +00:00
I have been hit by Malware.
###########################
:author: tyrel
:category: Website
:tags: malware
:status: published
This morning I woke up to an email from DigitalOcean saying they have scanned my host and on port 8080 was botnet.
"We are writing to let you know that your Droplet tyrelsouza.com at 138.197.14.67 is a Command & Control server part of a botnet."
UGH. This is not what I wanted to have to deal with today.
My first steps were to shut down all php things (the issue is with heysrv.php in EVERY directory). Then I ran ``find / -name heysrv.php -delete`` to delete all the files. After this, I decommissioned my pixelfed instance (rip pix.tyrel.dev) and disabled the startup scripts for that.
I then installed Simply Static on my one `remaining wordpress <https://k3tas.radio/airband/>`_ and turned that into a static collecton of html and related files. This elimiated two php instances. With one more remaining - my Mediawiki server.
I found an Export Pages link and now have an XML file of all my pages (only 78 or so) and can start working on putting this back to html notes on my joplin tool, instead of my wiki. Before I shut it down for good, I need to extract all the images, that's the only thing that's left to keep this knowledge secure.
Now the only thing left on this server is this static blog, pushed up from pelican. Everything else on this machine is just ``index.php`` files that redirect around (example `https://tyrel.bike/ <https://tyrel.bike>`_ to my Strava)
It's a bit sad I had to do this today, when I have other things I want to deal with - but DigitalOcean gave me a 24 hour ultimatum. I'll rebuild this server later, but for now, blog on!