System/Kernel
$ uname -a ; cat /etc/*release
Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal5.4.0-74-genericx86_64Ubuntu 20.04.2 LTS (Focal Fossa)
Networks
$ ip route ; arp -a
default via 192.168.202.254 dev ens160 proto static
192.168.202.0/24 dev ens160 proto kernel scope link src 192.168.202.163
_gateway (192.168.202.254) at 00:50:56:9e:59:95 [ether] on ens160$ netstat -antup4
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -udp 0 0 127.0.0.53:53 0.0.0.0:* -
Users & Groups
$ cat /etc/passwd ; ll /home
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
coaran:x:1000:1000::/home/coaran:/bin/bash
total 12
drwxr-xr-x 3 root root 4096 Jun 10 2021 .
drwxr-xr-x 20 root root 4096 Jan 7 2021 ..
drwx--x--x 2 coaran coaran 4096 Jun 10 2021 coarancoaran
$ cut -d: -f1 /etc/passwd | xargs -n1 id
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(landscape) gid=115(landscape) groups=115(landscape)
uid=110(pollinate) gid=1(daemon) groups=1(daemon)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)
uid=998(lxd) gid=100(users) groups=100(users)
uid=112(usbmux) gid=46(plugdev) groups=46(plugdev)
uid=113(mysql) gid=118(mysql) groups=118(mysql)
uid=1000(coaran) gid=1000(coaran) groups=1000(coaran)uid=1000(coaran) gid=1000(coaran) groups=1000(coaran)
SUIDs
$ find / -perm -04000 -ls -type f 2>/dev/null | grep -v '/snap'
1365 52 -rwsr-xr-- 1 root messagebus 51344 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
1921 464 -rwsr-xr-x 1 root root 473576 Mar 9 2021 /usr/lib/openssh/ssh-keysign
1452 24 -rwsr-xr-x 1 root root 22840 May 26 2021 /usr/lib/policykit-1/polkit-agent-helper-1
1372 16 -rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
556 84 -rwsr-xr-x 1 root root 85064 May 28 2020 /usr/bin/chfn
975 40 -rwsr-xr-x 1 root root 39144 Jul 21 2020 /usr/bin/umount
906 56 -rwsr-xr-x 1 root root 55528 Jul 21 2020 /usr/bin/mount
3267 164 -rwsr-xr-x 1 root root 166056 Jan 19 2021 /usr/bin/sudo
1379 32 -rwsr-xr-x 1 root root 31032 May 26 2021 /usr/bin/pkexec
866 68 -rwsr-xr-x 1 root root 68208 May 28 2020 /usr/bin/passwd
833 44 -rwsr-xr-x 1 root root 44784 May 28 2020 /usr/bin/newgrp
6190 68 -rwsr-xr-x 1 root root 67816 Jul 21 2020 /usr/bin/su
667 40 -rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
685 88 -rwsr-xr-x 1 root root 88464 May 28 2020 /usr/bin/gpasswd
488 56 -rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
562 52 -rwsr-xr-x 1 root root 53040 May 28 2020 /usr/bin/chshSGIDs
$ find / -type f -perm -02000 -ls 2>/dev/null | grep -v '/snap'
679 44 -rwxr-sr-x 1 root shadow 43160 Apr 8 2021 /usr/sbin/unix_chkpwd
561 44 -rwxr-sr-x 1 root shadow 43168 Apr 8 2021 /usr/sbin/pam_extrausers_chkpwd
134101 16 -rwxr-sr-x 1 root utmp 14648 Sep 30 2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
1870 344 -rwxr-sr-x 1 root ssh 350504 Mar 9 2021 /usr/bin/ssh-agent
3811 16 -rwxr-sr-x 1 root mail 14488 Aug 26 2019 /usr/bin/mlock
586 44 -rwxr-sr-x 1 root crontab 43720 Feb 13 2020 /usr/bin/crontab
3199 36 -rwxr-sr-x 1 root tty 35048 Jul 21 2020 /usr/bin/wall
551 84 -rwxr-sr-x 1 root shadow 84512 May 28 2020 /usr/bin/chage
488 56 -rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
649 32 -rwxr-sr-x 1 root shadow 31312 May 28 2020 /usr/bin/expiry
501 16 -rwxr-sr-x 1 root tty 14488 Mar 30 2020 /usr/bin/bsd-writeCapabilities
$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+epProcesses
$ ps -auxwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 1.1 168716 11852 ? Ss 09:48 0:01 /sbin/init maybe-ubiquity
root 461 0.0 1.2 51476 12220 ? S<s 09:48 0:00 /lib/systemd/systemd-journald
root 490 0.0 0.5 21516 5188 ? Ss 09:48 0:00 /lib/systemd/systemd-udevd
root 627 0.0 1.7 345772 17992 ? SLsl 09:48 0:00 /sbin/multipathd -d -s
systemd+ 662 0.0 0.5 90228 5416 ? Ssl 09:48 0:00 /lib/systemd/systemd-timesyncd
root 674 0.0 0.9 47536 9092 ? Ss 09:48 0:00 /usr/bin/VGAuthService
root 675 0.0 0.6 163404 6880 ? Ssl 09:48 0:01 /usr/bin/vmtoolsd
systemd+ 749 0.0 1.0 23892 10620 ? Ss 09:48 0:00 /lib/systemd/systemd-resolved
root 828 0.0 0.6 235564 6508 ? Ssl 09:50 0:00 /usr/lib/accountsservice/accounts-daemon
root 832 0.0 0.2 6812 2916 ? Ss 09:50 0:00 /usr/sbin/cron -f
message+ 833 0.0 0.4 7464 4152 ? Ss 09:50 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 845 0.0 1.2 29028 12508 ? Ss 09:50 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
syslog 848 0.0 0.4 224348 4572 ? Ssl 09:50 0:00 /usr/sbin/rsyslogd -n -iNONE
root 850 0.4 2.9 649916 29868 ? Ssl 09:50 0:15 /usr/lib/snapd/snapd
root 852 0.0 0.6 16568 6768 ? Ss 09:50 0:00 /lib/systemd/systemd-logind
daemon 856 0.0 0.2 3792 2140 ? Ss 09:50 0:00 /usr/sbin/atd -f
root 865 0.0 0.1 5828 1896 tty1 Ss+ 09:50 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 918 0.0 0.7 12176 7072 ? Ss 09:50 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 968 0.0 0.5 232716 5916 ? Ssl 09:50 0:00 /usr/lib/policykit-1/polkitd --no-debug
mysql 980 2.0 9.3 1264008 94180 ? Ssl 09:50 1:09 /usr/sbin/mysqld
root 982 0.0 2.1 225584 21844 ? Ss 09:50 0:00 /usr/sbin/apache2 -k start
root 985 0.0 1.4 107896 14392 ? Ssl 09:50 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root 1333 0.0 1.6 446548 16720 ? Ssl 09:51 0:00 /usr/libexec/fwupd/fwupd
root 1406 0.0 0.8 314924 8328 ? Ssl 09:51 0:00 /usr/lib/upower/upowerd
systemd+ 1592 0.0 0.5 18400 5780 ? Ss 09:51 0:00 /lib/systemd/systemd-networkd
www-data 2935 0.4 3.6 303420 36284 ? S 10:20 0:07 /usr/sbin/apache2 -k start
www-data 3017 0.4 2.7 229400 28068 ? S 10:20 0:06 /usr/sbin/apache2 -k start
www-data 3021 0.3 3.4 303240 34796 ? S 10:20 0:06 /usr/sbin/apache2 -k start
www-data 3202 0.1 3.5 303392 35204 ? S 10:25 0:02 /usr/sbin/apache2 -k start
www-data 3280 0.0 3.2 229412 33148 ? S 10:27 0:00 /usr/sbin/apache2 -k start
www-data 3309 0.0 3.2 229568 32296 ? S 10:28 0:00 /usr/sbin/apache2 -k start
www-data 3310 0.0 1.8 226116 18480 ? S 10:28 0:00 /usr/sbin/apache2 -k start
www-data 3311 0.0 2.9 229372 29796 ? S 10:28 0:00 /usr/sbin/apache2 -k start
www-data 3522 0.0 2.7 303136 27848 ? S 10:34 0:00 /usr/sbin/apache2 -k start
www-data 3523 0.0 2.4 229412 24636 ? S 10:34 0:00 /usr/sbin/apache2 -k start
www-data 4103 0.0 0.0 2608 540 ? S 10:47 0:00 sh -c ps -auxwww
www-data 4104 0.0 0.3 6076 3176 ? R 10:47 0:00 ps -auxwwwroot 832 0.0 0.2 6812 2916 ? Ss 09:50 0:00 /usr/sbin/cron -froot 968 0.0 0.5 232716 5916 ? Ssl 09:50 0:00 /usr/lib/policykit-1/polkitd --no-debugmysql 980 2.0 9.3 1264008 94180 ? Ssl 09:50 1:09 /usr/sbin/mysqld
Cron & Systemd
$ crontab -l ; cat /etc/crontab ; systemctl list-timers
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root bash /opt/image-exif.sh
#
NEXT LEFT LAST PASSED UNIT ACTIVATES
Wed 2025-04-02 11:09:00 UTC 20min left Wed 2025-04-02 10:39:01 UTC 9min ago phpsessionclean.timer phpsessionclean.service
Wed 2025-04-02 14:22:31 UTC 3h 33min left Wed 2025-04-02 09:51:08 UTC 57min ago motd-news.timer motd-news.service
Wed 2025-04-02 15:50:58 UTC 5h 2min left Wed 2025-04-02 09:51:08 UTC 57min ago ua-messaging.timer ua-messaging.service
Thu 2025-04-03 00:00:00 UTC 13h left Wed 2025-04-02 09:51:08 UTC 57min ago logrotate.timer logrotate.service
Thu 2025-04-03 00:00:00 UTC 13h left Wed 2025-04-02 09:51:08 UTC 57min ago man-db.timer man-db.service
Thu 2025-04-03 03:23:07 UTC 16h left Wed 2025-04-02 09:51:08 UTC 57min ago fwupd-refresh.timer fwupd-refresh.service
Thu 2025-04-03 04:19:24 UTC 17h left Wed 2025-04-02 09:51:08 UTC 57min ago apt-daily.timer apt-daily.service
Thu 2025-04-03 06:24:26 UTC 19h left Wed 2025-04-02 09:51:08 UTC 57min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Thu 2025-04-03 10:03:49 UTC 23h left Wed 2025-04-02 10:03:49 UTC 44min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2025-04-06 03:10:06 UTC 3 days left Wed 2025-04-02 09:51:08 UTC 57min ago e2scrub_all.timer e2scrub_all.service
Mon 2025-04-07 00:00:00 UTC 4 days left Wed 2025-04-02 09:51:08 UTC 57min ago fstrim.timer fstrim.service
11 timers listed.
Pass --all to see loaded but inactive timers, too.* * * * * root bash /opt/image-exif.sh
Services
$ systemctl list-units --state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point
init.scope loaded active running System and Service Manager
accounts-daemon.service loaded active running Accounts Service
apache2.service loaded active running The Apache HTTP Server
atd.service loaded active running Deferred execution scheduler
cron.service loaded active running Regular background program processing daemon
dbus.service loaded active running D-Bus System Message Bus
fwupd.service loaded active running Firmware update daemon
getty@tty1.service loaded active running Getty on tty1
mariadb.service loaded active running MariaDB 10.3.29 database server
multipathd.service loaded active running Device-Mapper Multipath Device Controller
networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd
open-vm-tools.service loaded active running Service for virtual machines hosted on VMware
polkit.service loaded active running Authorization Manager
rsyslog.service loaded active running System Logging Service
snapd.service loaded active running Snap Daemon
ssh.service loaded active running OpenBSD Secure Shell server
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-networkd.service loaded active running Network Service
systemd-resolved.service loaded active running Network Name Resolution
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-udevd.service loaded active running udev Kernel Device Manager
unattended-upgrades.service loaded active running Unattended Upgrades Shutdown
upower.service loaded active running Daemon for power management
vgauth.service loaded active running Authentication service for virtual machines hosted on VMware
dbus.socket loaded active running D-Bus System Message Bus Socket
multipathd.socket loaded active running multipathd control socket
snapd.socket loaded active running Socket activation for snappy daemon
syslog.socket loaded active running Syslog Socket
systemd-journald-audit.socket loaded active running Journal Audit Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
systemd-networkd.socket loaded active running Network Service Netlink Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
36 loaded units listed.apache2.servicemariadb.service
Sudo Version
$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31Sudo version 1.8.31
Glibc Version
$ ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9.2) 2.31
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.ldd (Ubuntu GLIBC 2.31-0ubuntu9.2) 2.31