Hello and welcome to the Friday, January 16th,

2006 edition of the Sands and then at Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu undergraduate certificate program in

applied cyber security. Today's diary comes from Matthew Presnell, one of our undergraduate

interns, and Matthew is writing about, well, the most common, actually, observation from his

honeypot. And that's, well, crypto coin miners.

Now, crypto-jacking, of course, is very, very common. But there's one part to it. That's

something here that Matthew is mentioning that's sadly often overlooked, even though it is very,

very common. And that the crypto-coin miner is hardly the only thing that's happening when your system gets infected.

So the crypto coin miner is probably the easiest to detect problem.

And that's, you know, what usually people are paying attention to.

That all of a sudden their system is slow.

They see there's this process running.

So what do they do?

They kill the process and move on.

But that's not really sufficient here because, as Matthew points out, pretty much every time

there's a crypto coin miner, there's also a backdoor being installed.

In this case, that's probably the most common combination with the crypto coin miner,

an S-H keys being added to the authorized keys file, and with that, the hacker now has access to your system.

Even after you change the weak password that was

originally used to break into the system. So always pay attention. If you find a crypto coin

...