On 2025-07-07 23:02, [email protected] wrote:
On Mon, Jul 07, 2025 at 09:44:11PM +0200, Detlef Vollmann wrote:
[...]
The main point is to find out which system was hit.
According to the description it looks like the Linux server itself
wasn't hit, but a different system that can access files on the server
via network...
Yes. The guess put forward elsewhere in this thread that it was perhaps
a Windows client over Samba is pretty compelling. Especially the observation
that only world-writable files were hit is a finger pointing in this
direction.
I had a question that I forgot to add to my initial long post. This was
since "top" didn't show any great CPU usage, could the encryption have
been performed on another machine (Windows or one of my 3 Android Kodi
boxes)? A number of you suggested exactly this.
I checked, and sure enough, smb.conf had world-writeable permissions.
I've seen where some Kodi web pages suggest this. I've had it this way
for many years, but now I have made it read-only.
So far, I booted up the Windows machine. I don't see any sign of an
attack on it. This is my mother's PC. She passed away at age 100 a year
ago. The PC is on and connected to the network, but I don't do much on it.
I also booted up 1 of my 3 Android Kodi boxes. No new attacks on my
Linux server. I'll look at the other 2 next.
The only Kodi addon I remember updating recently is opentitles, which
seems to have switched from opentitles.org to opentitles.com.
