@kdfrawg And it spread to mine through the tunnel. (SSH was replaced also Which is not unusual.). I talked the guy through using netstat to isolate the IPs is was communicating with and how to block them with iptables. That enabled them to dump their data at least. They were then informed that they are responsible for finding someone else to re-do their server.