observantTrapezium

  • 0 Posts
  • 1 Comment
Joined 3 years ago
cake
Cake day: June 30th, 2023

help-circle
  • Hey, hope you are recovering from this ordeal. I attribute some of the oddities in your post to panicked writing, but it would be great if you can clarify these points:

    listed as .BRM for windows 6

    What does that mean?

    As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone

    What do you mean base part of KDE? Did they delete more than just the home directory?

    because since they schroot, none of those processes were available to me to view

    Why wouldn’t you be able to view processes running in schroot? Doesn’t it use the same pid namespace and uses the same /proc as the init process?

    I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage

    You wrote in a comment “that was the server farm rooted into me”. Why do you think that is the case?

    Also, it’s not quite clear what the screenshots are meant to show. The first two are a list of files in your home directory, showing it’s not empty. So did they wipe everything or not? How are we supposed to know what those files are and what you expect should be there… And then the other screenshots are of you trying to recover files from the disk image.

    I understand if you don’t, but do you actually have any evidence of an attack? Like cellphone video of the screen while you are seeing suspicious activity on Wireshark? I can definitely understand being more concerned with minimizing the damage once you realize files are being deleted than gathering evidence. But can you for example fish out that .dll file from the disk image?