| ▲ | Joel_Mckay 3 hours ago | |
1. power off using switch 2. boot from immutable live system 3. sudo mkdir -p /mnt/sus/infected 4. sudo ddrescue -d -f /dev/sda /mnt/sus/sus.img /mnt/sus/sus.log 5. sudo kpartx -l /mnt/sus/sus.img 6. sudo kpartx -av /mnt/sus/sus.img 7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected 8. sudo debsums -sac -r /mnt/sus/infected 9. sudo umount /dev/mapper/loop0p2 10. sudo kpartx -d /mnt/sus/sus.img 11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped. Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture. Repeat as necessary. =3 | ||