Title
#kolide
b

blink

06/06/2018, 6:19 PM
i think ss and netstat just look at procfs, gonna see how osquery does it
6:24 PM
so osquery does the same (parses procfs). so it seems like the rootkit only patches the utilities and not the kernel.
6:25 PM
{
  "family": 2,
  "fd": 3,
  "local_address": "45.55.41.97",
  "local_port": 22,
  "net_namespace": 4026531957,
  "path": "",
  "pid": 29831,
  "protocol": 6,
  "remote_address": "128.199.169.146",
  "remote_port": 42266,
  "socket": 32357509,
  "state": "ESTABLISHED"
}
6:26 PM
That remote address is on a list of known malicious hosts.
zwass

zwass

06/06/2018, 6:26 PM
yikes
b

blink

06/06/2018, 6:28 PM
no activity in /var/log/auth or in who/last