One server has been compromised. The Incident Response team has acquired its image for further forensics. So, your task is reviewing this server image and develop a investigation report to answer what hacker had done on this server.
Image download link: https://drive.google.com/file/d/1DAJ0F8IbaTQQ_pqG73mE1qsJ5-ng0DCi/view?usp=sharing Access credential:
- rc3user:toor
- root:toor
When review a Linux server, an investigator often reviews these places
- bashrc
- crontabs
- profiles
- init.d files
- inittab
- files being replace by checking which or alias commmand