On 07.07.2025 07:47, Rick Macdonald wrote:
I apologize for the length of this question.
...
Some thoughts:
I read that files created by NFS or smb can be owned by
nobody/nogroup. The 2 running process owned by nobody are
/usr/bin/memcached and /usr/sbin/smbd. The remote kodi boxes access
the server files using smb.
I don't know what it means that only files owned by me have been hit,
but only files with 777/666 permissions. Given that the new files are
created by nobody, it seems like they aren't able to actually log into
my account?
To answer that question you need to provide more technical information
about your compromised PC and network setup.
Assuming this was an external attack, what ports\services on compromised
PC were exposed to the Internet, for example using Port-Forward or
directly via IPv6?
SSH server? HTTP\HTTPS server? Was SMB exposed to the Internet? VNC
server? XRDP server? Anything else?
If compromised PC was running locally without remote access from the
Internet, there is a possibility of a Supply Chain attack, for example a
plug-in or component laced with malicious code was installed recently.
Such malware could install backdoor with remote shell and report about
itself to the bad guys.
It is also possible PC wasn't compromised at all, because this specimen
of ransomware seems to be build to work on Windows OS only, so
encryption of files on compromised PC was over the network share, as
mail list user Kamil Jońca had guessed.
Samba (mis-)configuration probably to blame for user "nobody" (meaning
shares were accessible anonymously without password) and "777/666
permissions" (too liberal user mask was set and\or Windows doesn't know
how to set linux permissions).
So is there a Windows PC, possibly also compromised, connected to the
local network?
You should check compromised Linux PC at least in obvious places which
malware use to establish persistence: crontab, sysinit, systemd units,
*.rc scripts, etc.
Many of them require root level access, so it could be very difficult if
not impossible to accomplish for a spread-hit malware, especially if it
didn't get shell access of compromised Linux PC.
It is not obvious at this point how malware got in, but usually the
payload includes Info-stealer type of malware, so I would assume your
web and email accounts and their passwords, browser cookies, etc, were
stolen from a PC which run the malware executable.
--
With kindest regards, Alexander.
Debian - The universal operating system
https://www.debian.org
