HI version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
100% Positive
Analyzed from 120 words in the discussion.
Trending Topics
#sus#sudo#mnt#infected#img#dev#kpartx#continued#live#mapper
Discussion (4 Comments)Read Original on HackerNews
This was published in 2021 but apparently never continued.
2. boot from immutable live system
3. sudo mkdir -p /mnt/sus/infected
4. sudo ddrescue -d -f /dev/sda /mnt/sus/sus.img /mnt/sus/sus.log
5. sudo kpartx -l /mnt/sus/sus.img
6. sudo kpartx -av /mnt/sus/sus.img
7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected
8. sudo debsums -sac -r /mnt/sus/infected
9. sudo umount /dev/mapper/loop0p2
10. sudo kpartx -d /mnt/sus/sus.img
11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped.
Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture.
Repeat as necessary. =3