Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

i think ss and netstat just look at procfs, gonna see how osquery does it

so osquery does the same (parses procfs). so it seems like the rootkit only patches the utilities and not the kernel.

```
{
  "family": 2,
  "fd": 3,
  "local_address": "45.55.41.97",
  "local_port": 22,
  "net_namespace": 4026531957,
  "path": "",
  "pid": 29831,
  "protocol": 6,
  "remote_address": "128.199.169.146",
  "remote_port": 42266,
  "socket": 32357509,
  "state": "ESTABLISHED"
}
```

That remote address is on a list of known malicious hosts.

no activity in /var/log/auth or in `who`/`last`