Case 3. Yet Another Linux Investigation

1. Running netstat, see the weird python script with established connection to some remote host:

2. Grab the executable: lsof -p 2082 and ps aux grep 2082.

3. Let’s see the /tmp/ folder for backdoor executable
4. Check /proc/2082 and ls

5. Since the executable is a legitimate python, need to explore further. In /proc/2082 run sudo cat cmdline shows the comand used to launch, cat task/2082/children shows children PID. sudo cat status shows general information. cat environ shows … . cat arp shows MAC addresses of the machines connected:

6. Get the backdoor file: file recovery or memory forensics. Sometimes /procfs can manage.

References

[1] Magnet webinar on Linux Forensics