← Back to context

Comment by bananamogul

17 hours ago

“To be continued.”

This was published in 2021 but apparently never continued.

2 comments

bananamogul

Reply
normie3000  16 hours ago

Cue spooky music.

  • Joel_Mckay  16 hours ago

    1. power off using switch

    2. boot from immutable live system

    3. sudo mkdir -p /mnt/sus/infected

    4. sudo ddrescue -d -f /dev/sda /mnt/sus/sus.img /mnt/sus/sus.log

    5. sudo kpartx -l /mnt/sus/sus.img

    6. sudo kpartx -av /mnt/sus/sus.img

    7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected

    8. sudo debsums -sac -r /mnt/sus/infected

    9. sudo umount /dev/mapper/loop0p2

    10. sudo kpartx -d /mnt/sus/sus.img

    11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped.

    Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture.

    Repeat as necessary. =3