I am currently conducting an investigation on a host that is known to have been compromised. There are a string of .job files (i.e. AT1.job, AT2.job etc etc).
I believe that these have been run by a remote user using the "at" command. By looking at the command line commands issued chronologically, I can see pretty much what the user has done.
i.e AT1.job shows ping.google.com (presumably to confirm Internet access), AT2.job shows the use of the netstat command piped to tep file.
The sequence continues to a point where I can see "rogue" executables being launched.
I'd like to be able to identify the source of the device that issued the at commands, but I'm unsure how to go about this, or if it's possible.
Much of the content of the job files are in plain text, (which is how I could see the commands), but there is also some "non plain text" content at the start of each file. I wondered whether this might contain some (encoded) information on the source of the file.
In each case the file owner is Adminisrator.
↧