Author: AMD
This is a writeup for Disgruntled room.
Nothing suspicious… So far
Lets start with looking into sudoers list:
Lets look at the bash history for each user
We found the installed package, now lets find the command by looking to authentication logs
Let’s see if you did anything bad
Lets search adduser command
Lets search visudo command
Lets search vi command
Bomb has been planted. But when and where?
Lets checkout bash history of it-admin
We can see that vi text editor is used. Vi text editor can edit and save files to a different location. Lets check out .viminfo with "cat /home/it-admin/.viminfo"
Lets use ls -la with full-time for the answer
Lets read the os-update.sh
Following the fuse
To find the trigger time we need to check cronjobs
We need to turn this into time. We can use "https://crontab.cronhub.io/"