Tags: forensics
Rating:
# 5_persistence
It looks like the attacker has somehow found a way to set up persistence. We need to find out how.
Perhaps the most common tactic that attackers use to set up persistence on a *NIX machine is through cron, a time-based job scheduler. All we need to do is check out what cron tabs are running.
First, let's mount the filesystem.
```
$ sudo mkdir /mnt/5_persistence
$ sudo mount -o loop filesystem.image /mnt/5_persistence
$ cd /mnt/5_persistence
```
Now, let's go ahead and check for cron tabs. We need to access the root shell to navigate inside of it. No worries. We can run `sudo` with the `-i` switch.
```
$ sudo -i
# cd /mnt/5_persistence/var/spool/cron/contabs
# ls
# cat root
```
The first two columns tell us the time that this job runs. This job runs at `0230`. The last bit of the row tells us what's being run. Looks like it's a script in `/root`. Let's go ahead and navigate to that.
```
# cd /mnt/5_persistence/root/
# ls
# cat backup.sh
```
It adds a new user called `devtest2`. This user is added to the group `sudoers`. The md5sum of this script is `29ff58b6607c824451349183a570cc6c`.