Post #975

When investigating a suspicious process on Linux, try this: strings /proc/<PID>/environ For example, a socat command was used to spawn a reverse bindshell backdoor. Environ entry shows SSH connection data and traces to the socat comand. Some versions of netcat do similar. Many attackers do not wipe their process environment and this can leave behind high fidelity forensics to help investigate. Many programs leave really obvious data in the process environment. It's there for the asking on Linux.