Okay, so I wanted to share a little incident from a few months back that really hammered home the power of knowing your Linux internals when things go sideways. I got a frantic call, "something weird is going on with our build server, it's acting sluggish and our monitoring is throwing odd network alerts." No fancy EDR on this particular box, just the usual ssh and bash. My heart always sinks a little when it's a Linux box with vague symptoms, because you know it's time to get your hands dirty.

First thing I did, even before reaching for any specific logs, was to get a quick snapshot of the network. Instead of netstat, which honestly feels a bit dated now, I immediately hit ss -tunap. That p is crucial cause it shows you the process and user ID for each connection. What immediately jumped out was an outbound TCP connection on a high port to a sketchy-looking IP, and it was tied to a process that definitely shouldn't have been making external calls. My gut tightened. I quickly followed up with lsof -i just to be super sure no deleted binaries were clinging on to network connections.

With that IP and PID in hand, I moved to process investigation. pstree -ap was my next stop. It showed the suspicious process, and more importantly, its parent. It wasn't a child of systemd or a normal service. It was spawned by a build script that shouldn't have been executing anything like this. That hierarchical view was key. Then, to really understand what this thing was doing, I dared to strace -p <PID>. Watching the system calls unfurl was like watching a movie of its malicious intent: it was reading from /etc/passwd, making connect() calls, and trying to write to some odd /tmp directories. Simultaneously, I checked ls -l /proc/<PID>/exe to confirm the actual binary path (it was indeed in /tmp) and /proc/<PID>/cwd to see its working directory. No doubt, this was a rogue process.

Knowing it was a fresh infection, I immediately shifted to the filesystem. My go-to is always find / -type f -newermt '2 days ago' -print0 | xargs -0 ls -latr. This quickly pulls up any files modified in the last 48 hours, sorted by modification time. It's often where you find dropped payloads, modified configuration files, or suspicious scripts. Sure enough, there were a few more binaries in /tmp and even a suspicious .sh script in a developer's home directory. I also scanned for SUID/SGID binaries with find / -perm /6000 just in case they'd dropped something for privilege escalation. And while stat's timestamps can be tampered with, I always glance at atime, mtime, and ctime on suspicious files; sometimes, a subtle mismatch offers a tiny clue if the attacker wasn't meticulous.

The final piece of the puzzle, and often the trickiest, is persistence. I checked the usual suspects: crontab -l for root and every other user account I could find. Then I cast a wider net with grep -r "suspect_domain_or_ip" /etc/cron.* /etc/systemd/system/ /etc/rc.d/ and similar common boot directories. Sure enough, a new systemd timer unit had been added that was scheduled to execute the /tmp binary periodically. Finally, I didn't forget the user dotfiles (~/.bashrc, ~/.profile, etc.). It’s surprising how often an attacker will drop a malicious alias or command in there, assuming you won't dig deep into a developer's setup.

Long story short, we quickly identified the ingress vector, isolated the compromise, and cleaned up the persistence. But what really stuck with me is how quickly you can triage and understand an incident if you're comfortable with these fundamental Linux commands. There's no substitute for getting your hands dirty and really understanding what strace is showing you or why ss is superior to netstat in a high-pressure situation. These tools are your best friends in a firefight.

#linux #incidentresponse #blueteam #forensics #shell #bash #sysadmin #infosec #threathunting #lessonslearned

Do me a favor: If you've read my latest book, Taming the Hacker Storm: A Framework for Defeating Hackers and Malware, give it an honest review on Amazon. Only one review so far. It is lonely.

https://www.amazon.com/Taming-Hacking-Storm-Framework-Defeating/dp/1394349580

With these short #murderbot episodes, that are moving along well enough, I'm afraid it'll be s3 and 2 years before ART is introduced.

no, no I will not arstechnica

@gollyhatch @lauren @alterelefant "your friends and family" ... and your doctor, who didn't realize when they did a quick search of your symptoms it was AI that hallucinated a disease that sounded like the disease you actually have, your banker, your test proctor, the bureaucrat you're begging for your earned benefits because the AI auditor failed your application, in all likelihood... because you seem to be trying so hard to be obstinate, you're probably an AI engagement bot.

@JohnsNotHere so perhaps they saw your scan hit, realized they'd unintentionally left it open and remediated the issue... so what's your issue with that?
I certainly have had a few wtf moments after seeing some of my own scan reports on some of my own infra, sprinkling Wazah agents around is usually an eye opener but better than someone else finding your misses.

Announcing: https://justaqrcode.com.

Tired of "free" QR code generators that are full of ads and trackers, that share your data, and that want to sell you something? Me too. Here's my act of resistance: I made a one-page site that works entirely in your browser to generate a simple QR code. And that's all it does. You can download the HTML page and run it locally, even. Read the source; nothing up my sleeves. Just a QR code.

My offer to you -- I will continue to pay for the domain name and web hosting for it, myself. If you find it valuable, you can pay it back by creating your own useful thing for the world and releasing it for free. Let's take back the friendly web, one vexingly-monetized utility at a time!

#QRcode #Free #FriendlyWeb #Resistance

The lack of imagination in the media is only surpassed by the lack of integrity. #media #politics #tech #journalism

@aram always has been.

#AI #HAL9000 #2001SpaceOdyssey

@WeirdWriter oops, thought I was on fb for a moment with this clickbait post, what an ja

@WarnerCrocker wait.... there's a haboob going through... checks notes .... Chicago?

they called it trickle-down economics because 'financial waterboarding' didn't poll well with focus groups

Tip for folks outside the US that want to hire folks within the US....

...when discussing compensation don't lead with the wages/salary.

In the US, almost all of our compensation is salary based.

Our health insurance (NOT healthcare. Insurance), often requires us to:
- Pay out of our wage into insurance just to get it
- Pay out of pocket (insurance does not apply) until we reach a deductible
- Pay high "co-pays" out of pocket even when insurance covers some of the medical care
- Pay for our own prescription medications
- Pay astronomically for any emergency care

Our "retirement" (HAHAHAHAHAH!!!!!!!!) is just us investing in the stockmarket and requires that we take money out of our salary to buy stocks (if we're lucky, our employer "matches" a contribution up to like 2% or whatever - but you don't get that unless you pay first).

We often don't even get paid time off! Some of us are lucky and get a week PTO and some sick days off per year. But that's in we're lucky. I personally don't get any paid time off. I can take days, sure, but I don't get paid for them. I can take a sick day off, but I don't get paid for it. Holidays are bitter sweet.... yay Christmas, but I better save up for that forced time off without pay.

So for us in the US, the wage / salary is quite literally everything.

If you have social programs like healthcare, retirement, maternity/paternity leave, holidays, even sick leave... attach a monetary equivalency number to it and LEAD WITH IT.

I just had a friend who got an amazing offer to move to and work in the Netherlands and his absolute initial disappointment at seeing a "very high salary" at less than half what he makes now just gut punched him.

It took him a bit to realize that he got all these other things that he normally pays for out of pocket individually.... and the add-up was phenomenal and paid SO MUCH MORE than his current total compensation.

#brainDrain #fediHire

"Typical Chat-GPT query uses about 10 times more energy than Google search That’s just for a basic generative AI function. More advanced queries require substantially more power that have to go through an AI Cluster Farm to process large-scale computing between multiple machines."

"AI is typically deployed in 20-30 cabinet clusters at or above 40 KW per cabinet. This represents a fourfold increase in KW/ cabinet with the deployment of AI. The difference is staggering."

https://www.techradar.com/pro/security/i-sat-down-with-two-cooling-experts-to-find-out-what-ais-biggest-problem-is-in-the-data-center

@GossiTheDog oof, that reminds me that I forgot to add the ms telemetry list when I migrated the home network dns over to pi-hole.

@WarnerCrocker if there's only one reason I go to the theatre for this, it'll be to spite Snyder.

Now that I've finished #Andor .... Does anyone who hasn't seen it want to watch it with me so I can pause it repeatedly throughout each episode to kick off individual two hour long discussions on political analysis, history, theory and praxis, and pop culture metaphors with a finger on the pulse of the current cultural zeitgeist?!??!!

@metaning @rvstaveren this is the way... until they all have their own cellular and gps chips.

@scalzi if a hundred influencers step in shit, what percentage do you expect to be overjoyed?