0

What is the best course of action when you discover that a non-administrator Linux account has gotten owned, and a single foreign process is running, making all sorts of networking connections?

For example, how would one take a complete snapshot of the process for future analysis?

Take into consideration that the executable itself might have been deleted, so, even the binary itself you'd have to find through an inode with something like debugfs, but there's also the question of preserving other evidence.

cnst
  • 1,884
  • 2
  • 19
  • 30

1 Answers1

2

Assuming the root account has not been compromised (and this is not a good assumption -- the attacker may have used a privilege escalation attack without leaving traces), you can trust the log files and the system utilities. In this case, I'd dump the program memory for analysis (eg. by triggering a core dump), archive the user's files and the temporary directories, and then wipe the user's account and files and restore from backup.

The technical details are better suited for a site such as Unix SE.

Mark
  • 34,390
  • 9
  • 85
  • 134