My brother got a desktop from Ebay. It arrived yesterday and had Windows preinstalled. He installed Manjaro, found out the wifi driver required fiddling and removed it again and installed Deepin Linux instead. And he kept Windows installed also.<p>A day later I discover that he has an ssh server running on his desktop and connected to Russian, Chinese and Thailandese IPs.<p>Other things he had running were Chromium and Zoom as he was attending a lecture.<p>The way I found out is because I tried SSHing into a media server that I have at his home, and I mistakenly ended up sshing into his desktop. The media server and his desktop shared the same not very secure password since he had set it up for me and he is careless like that. Because I didn't care enough about the media server I was using password login (not public key auth). Once I logged into my media server it was untouched.
BTW we aren't VIP or anything. It was probably some kind of botnet.<p>What is puzzling me is how his desktop got infiltrated. Because how could he have an openssh server running on an almost new installation with practically no use? He is certain he didn't do it himself. The other question is, how did they get the password?<p>Edit:
Through http://www.blocklist.de, I found out that the botnet once connected was doing bruteforcelogin on other targets. So that is likely how they got in. Still not sure how the openssh server was running.
I thought most distros come with SSH standard? When I spin up Debian and centOS VMs I don't have to do anything special before I can SSH into them.