We covered an incident response scenario from HackTheBox named PersistenceFutile where we went over an infected Linux machine and we were required to remediate and clean up any indications of persistence and privilege escalation. We checked the bash history, crontab, running processes and SUID bit binaries to remove any indicators of compromise including reverse shells, backdoors and unknown binaries.. This was part of HackTheBox PersistenceFutile.
Hackers made it onto one of our production servers 😅. We’ve isolated it from the internet until we can clean the machine up. The IR team reported eight difference backdoors on the server, but didn’t say what they were and we can’t get in touch with them. We need to get this server back into prod ASAP – we’re losing money every second it’s down. Please find the eight backdoors (both remote access and privilege escalation) and remove them. Once you’re done, run /root/solveme as root to check. You have SSH access and sudo rights to the box with the connections details attached below.
The locations we checked to remove malware and persistence were:
- Bash History for both the user and root accounts: we removed reverse shell and listener named alertd.
- Cron tabs: We removed pyssh and access-up from cron.daily and removed the cron file under /var/spool/cron/crontabs/user.
- Running processes: we killed the connectivity-check process and removed all its associated files and binaries.
- The users file /etc/passwd: we disabled the login shell of the user gnats and set the group ID to 41.
- SUID bit binaries: we removed 6 binaries.