netstat, see the weird python script with established connection to some remote host:
- Grab the executable:
lsof -p 2082and
ps aux grep 2082.
- Let’s see the
- Since the executable is a legitimate python, need to explore further. In
sudo cat cmdlineshows the comand used to launch,
cat task/2082/childrenshows children PID.
sudo cat statusshows general information.
cat environshows … .
cat arpshows MAC addresses of the machines connected:
- Get the backdoor file: file recovery or memory forensics. Sometimes
 Magnet webinar on Linux Forensics