Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
blink
06/06/2018, 6:19 PMi think ss and netstat just look at procfs, gonna see how osquery does it
so osquery does the same (parses procfs). so it seems like the rootkit only patches the utilities and not the kernel.
{
"family": 2,
"fd": 3,
"local_address": "45.55.41.97",
"local_port": 22,
"net_namespace": 4026531957,
"path": "",
"pid": 29831,
"protocol": 6,
"remote_address": "128.199.169.146",
"remote_port": 42266,
"socket": 32357509,
"state": "ESTABLISHED"
}That remote address is on a list of known malicious hosts.
z
zwass
06/06/2018, 6:26 PMyikes
b
blink
06/06/2018, 6:28 PMno activity in /var/log/auth or in `who`/`last`