https://github.com/osquery/osquery logo
#kolide
Title
b

blink

06/06/2018, 6:19 PM
i think ss and netstat just look at procfs, gonna see how osquery does it
so osquery does the same (parses procfs). so it seems like the rootkit only patches the utilities and not the kernel.
Copy code
{
  "family": 2,
  "fd": 3,
  "local_address": "45.55.41.97",
  "local_port": 22,
  "net_namespace": 4026531957,
  "path": "",
  "pid": 29831,
  "protocol": 6,
  "remote_address": "128.199.169.146",
  "remote_port": 42266,
  "socket": 32357509,
  "state": "ESTABLISHED"
}
That remote address is on a list of known malicious hosts.
z

zwass

06/06/2018, 6:26 PM
yikes
b

blink

06/06/2018, 6:28 PM
no activity in /var/log/auth or in `who`/`last`