2 comments
Discussion at the time: <a href="https://news.ycombinator.com/item?id=26591669">https://news.ycombinator.com/item?id=26591669</a>
“To be continued.”<p>This was published in 2021 but apparently never continued.
Cue spooky music.
1. power off using switch<p>2. boot from immutable live system<p>3. sudo mkdir -p /mnt/sus/infected<p>4. sudo ddrescue -d -f /dev/sda /mnt/sus/sus.img /mnt/sus/sus.log<p>5. sudo kpartx -l /mnt/sus/sus.img<p>6. sudo kpartx -av /mnt/sus/sus.img<p>7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected<p>8. sudo debsums -sac -r /mnt/sus/infected<p>9. sudo umount /dev/mapper/loop0p2<p>10. sudo kpartx -d /mnt/sus/sus.img<p>11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped.<p>Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture.<p>Repeat as necessary. =3