Tags: forensics
Rating:
It looks like the attacker has somehow found a way to set up persistence. We need to find out how.
Perhaps the most common tactic that attackers use to set up persistence on a *NIX machine is through cron, a time-based job scheduler. All we need to do is check out what cron tabs are running.
First, let's mount the filesystem.
$ sudo mkdir /mnt/5_persistence
$ sudo mount -o loop filesystem.image /mnt/5_persistence
$ cd /mnt/5_persistence
Now, let's go ahead and check for cron tabs. We need to access the root shell to navigate inside of it. No worries. We can run sudo with the -i switch.
$ sudo -i
# cd /mnt/5_persistence/var/spool/cron/contabs
# ls
# cat root
The first two columns tell us the time that this job runs. This job runs at 0230. The last bit of the row tells us what's being run. Looks like it's a script in /root. Let's go ahead and navigate to that.
# cd /mnt/5_persistence/root/
# ls
# cat backup.sh
It adds a new user called devtest2. This user is added to the group sudoers. The md5sum of this script is 29ff58b6607c824451349183a570cc6c.
