I was breached

Today I logged onto my humble little server to check a potential CVE, I wanted to make sure I was safe from CVE-2026-24061.

Upon logging in, I am given my fastfetch that gives me all the nice details about RAM, CPU and Storage along side a cool ASCII art of Squirtle.

But then I noticed the CPU usage. 100%.

What’s going on?

I ran bashtop to see what was going on, and sure enough all cores pegged at 100% from bash -bash, by the user amp.

I thought well I’ll kill that and see what’s going on once it’s dead.. How naive of me to assume malware would be that easy to get rid of.

I killed the process, and sure enough it came back within seconds. Now I was worried.

I ran userdel amp to remove the user very shortly after killing the process, but I get an error saying the user still has running processes. What was it? bash -bash again.

I then had to look up how to force delete a user. Luckily it’s just as simple as userdel -f user. So I ran it, and sure enough the user was gone and the process was not spawning again.

So what was it? Who was it? How did they get in?

The Investigation

At this point, the server was running fine, no high CPU usage, granted the temps were high, but nothing alarming. So I started looking through logs.

First place I looked was /var/log/auth.log to see if there were any suspicious logins. Immediately I saw a successful login to the user amp via SSH from an IP address in Spain.

Now I know that the user amp did exist before, it was created by the AMP software I used to manage game servers. Unfortunately for me, I must have used an old previously breached password for that user when setting it up many moons ago.

But my confusion was still there, what was it doing?

To my luck again, they left 2 binary files and a config laying around in /tmp. The config file looked to be a config to phone home to a C2 server along with some IRC bullshit and a nickname, at least you fuckers knew my name was Kingfisher I guess.

Downloading one of the binaries triggered Defender immediately as a PUP. Ignoring the warning triggered another alert, this time for a Trojan:Linux/CoinMiner. Here is the VirusTotal link for those curious.

So it was a crypto miner, no wonder my CPU was pegged. Thanks guys.

The Aftermath

I eventually decided that clearing the known malware wasn’t enough. I needed to be sure. So I backed up the main data on the server to my local machine and told Hetzner to reinstall Ubuntu.

A fresh start was needed. This time with no old passwords, no old users, not even allowing passwords anymore.

Here’s hoping this is the last time I have to deal with bullshit, dog piss drinking, ass hat, cunt bag, crypto assholes again.