On 2025-07-07, Karl Vogel <[email protected]> wrote: >>> On Sun 06 Jul 2025 at 22:55:22 (-0400), Rick Macdonald wrote: > >> After running Debian for nearly 30 years (and other distros prior to that), >> my Linux server has been hit by a ransomware attack about 11 days ago. >> I have backups, so nothing important has been lost at this point. > > That's the most important thing. > >> However, I can't figure out how it got in, how it works, if there are >> executables on my computer that need to be cleaned, etc. > > You should consider the entire system compromised beyond repair. Nuke and > pave -- do a complete reinstall from scratch, restore from a known good > backup, and re-enable services one at a time.
That's what I'd do, nuke and pave. Yet there remains the key, forensic question of how the server became contaminated in the first place.
