TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚑ Community Insights

Discussion Sentiment

100% Positive

Analyzed from 120 words in the discussion.

Trending Topics

#sus#sudo#mnt#infected#img#dev#kpartx#continued#live#mapper

Discussion (4 Comments)Read Original on HackerNews

fisianβ€’about 1 hour ago
Discussion at the time: https://news.ycombinator.com/item?id=26591669
bananamogulβ€’about 3 hours ago
β€œTo be continued.”

This was published in 2021 but apparently never continued.

normie3000β€’about 2 hours ago
Cue spooky music.
Joel_Mckayβ€’about 2 hours ago
1. power off using switch

2. boot from immutable live system

3. sudo mkdir -p /mnt/sus/infected

4. sudo ddrescue -d -f /dev/sda /mnt/sus/sus.img /mnt/sus/sus.log

5. sudo kpartx -l /mnt/sus/sus.img

6. sudo kpartx -av /mnt/sus/sus.img

7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected

8. sudo debsums -sac -r /mnt/sus/infected

9. sudo umount /dev/mapper/loop0p2

10. sudo kpartx -d /mnt/sus/sus.img

11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped.

Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture.

Repeat as necessary. =3