dEEpEst Posted September 21, 2023 Share Posted September 21, 2023 When investigating a suspicious process on Linux, try this: This is the hidden content, please Sign In or Sign Up For example, a socat command was used to spawn a reverse bindshell backdoor. Environ entry shows SSH connection data and traces to the socat comand. Some versions of netcat do similar. Many attackers do not wipe their process environment and this can leave behind high fidelity forensics to help investigate. Many programs leave really obvious data in the process environment. It's there for the asking on Linux. This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Link to comment Share on other sites More sharing options...
Recommended Posts