A dev laptop running Ubuntu 24.04 got hit by a classic PostgreSQL cryptojacking attack while on public Wi-Fi (port 5432 exposed, UFW temporarily off).
Detection started with fan noise → btop tree view revealed 70-99% CPU under the postgres user.
The recovery was fully scripted, transparent, and driven by a local coding agent (Codex-Max-5.2) turned into a paranoid remediation specialist via a custom AGENTS.md directive.
Highlights:
Generated dozens of timestamped audit/cleanup scripts
Captured rogue sshd binary → 24/64 detections on VT as Linux trojan/rootkit hider
Ended with UFW timed rules, auditd watches, LAN-only services
Full play-by-play, verbatim scripts, and takeaways — no hype, just level zero truth.
levelZero•2h ago
Generated dozens of timestamped audit/cleanup scripts Captured rogue sshd binary → 24/64 detections on VT as Linux trojan/rootkit hider Ended with UFW timed rules, auditd watches, LAN-only services
Full play-by-play, verbatim scripts, and takeaways — no hype, just level zero truth.
https://open.substack.com/pub/layerzero0/p/surviving-a-2025-...
Would love feedback from anyone who's dealt with Postgres miners or AI-assisted IR.