Logo
RSS Feed

Lsof

Case 1. IP Theft Linux Investigation

Nearly all IP (intellectual property) are recreated by a competitor. Investigate the development machine

Potential data exfiltration.

  1. netstat -lpeanut shows that there are two dhcp clients running, one using unusual port and user:

img

  1. ps aux | grep 40500 or ps aux | grep dhclient shows the running processes and sometimes commands used to run them. This suspicious client was run from /tmp folder:

img5

  1. ls -la /tmp/ to see the file that was launched. But nothing there. Seems that the file was deleted after being launched:

img6

Case 3. Yet Another Linux Investigation

  1. Running netstat, see the weird python script with established connection to some remote host:

mg10

  1. Grab the executable: lsof -p 2082 and ps aux grep 2082.

img11

  1. Let’s see the /tmp/ folder for backdoor executable
  2. Check /proc/2082 and ls

img12

  1. Since the executable is a legitimate python, need to explore further. In /proc/2082 run sudo cat cmdline shows the comand used to launch, cat task/2082/children shows children PID. sudo cat status shows general information. cat environ shows … . cat arp shows MAC addresses of the machines connected:

img1