Case 3. Yet Another Linux Investigation

Created: 20.09.2020
  1. Running netstat, see the weird python script with established connection to some remote host:


  1. Grab the executable: lsof -p 2082 and ps aux grep 2082.


  1. Let’s see the /tmp/ folder for backdoor executable
  2. Check /proc/2082 and ls


  1. Since the executable is a legitimate python, need to explore further. In /proc/2082 run sudo cat cmdline shows the comand used to launch, cat task/2082/children shows children PID. sudo cat status shows general information. cat environ shows … . cat arp shows MAC addresses of the machines connected:


  1. Get the backdoor file: file recovery or memory forensics. Sometimes /procfs can manage.


[1] Magnet webinar on Linux Forensics