Debugfs

Case 4. Compromised Apache Server

Compromised Apache Web server with drupal application used for local team. There was some unusual activity noticed between 05/10 and 08/10/19.

You need to preserve edidence and some commands override artifacts (like find). Disable access times

• sudo mount -o remount,noatime /dev/... or:
• mkdir /mnt/extdrv/rootvol
• rootvol=/mnt/extdrv/rootvol
• sudo mount --bind / $rootvol
• sudo mount -o remount,ro $rootvol

User activity: /etc/passwd. sudo debugfs -R 'stat <1835260>' /dev/....

checking groups. tail -n 4 /etc/group, grep -E 'mail' | php' /etc/group