Godmode skill abuse led to a VPS miner and SSH backdoor
A VPS running was compromised through the godmode skill. The attacker added a malicious that ran every minute, loaded godmode, and fetched a shell script from a . Unauthorized SSH keys were added to both the normal user account and the root account, creating a way to return later.
A firewall rule was also added to allow SSH access on port 22. The attacker installed xmrig, which connected to 192.3.188.151:8443 and used heavy CPU power for crypto mining. warnings around 02:30 and 07:30 were caused by the miner’s CPU use, not gateway restarts.
Cleanup removed the malicious , killed and deleted xmrig, removed the rogue SSH keys, deleted suspicious scripts, locked root’s authorized_keys with chattr +i, and deleted the godmode skill.
Key points
- The godmode skill was abused to run a malicious on a VPS.
- The attacker added SSH keys to both the user and root accounts for later access.
- xmrig was installed and used the server’s CPU for crypto mining.
- Key places to inspect are s, authorized_keys, iptables rules, suspicious /tmp scripts, and running xmrig .
- High-risk skills like godmode should be removed or enabled only in tightly controlled situations.