A Windows server of ours got infected with some kind of mining tool.
As luck (?) would have it, the tool left plenty of logs. The logs suggest it's a Claymore CryptoNote CPU Miner v3.5 Beta
. Outside of the logs, there are also mysterious files called history.txt
and id.txt
- but both contain hexadecimal gibberish akin to IDs of some kind.
Outside of the obvious next step of nuking the server and setting it up anew, I was wondering if there's anything I can do to mess with whatever mechanisms attacked the server in the first place. Steal their work, or at least make it harder to continue?
Is there anything I can do? Or is this entire line of thought a lost cause and best to just focus on getting a new server set up?