Here’s a command that can be helpful.
nc or netcat, what nc does is always you to write across the network.
For an example we will take #2 from my last post on how to handle a hacked hard drive:
#2. List the current open files, lsof, current processes, ps aux, current open ports netstat -anpe
Since you don’t want to write anything to the hacked drive, and you really want to get this output as fast as possible, so an easy way to do that is to use netcat. Ahead of the server getting hacked you will want to pick a port you will use for netcat, and open that for egress traffic on any server you might need to send out on, and ingress on one server you choose to be the netcat host to receive the data. In this example we will use port 9999
First we need to start up netcat to listen for date, on the host run:
1 | nc -l -n 9999 2>&1 | tee /dev/shm/netcat.tee |
Then on the hacked server you want to send from run:
1 | (lsof ; ps aux; netstat -anpe ) | nc ip_of_netcat_host 9999 |
Then you can less /dev/shm/netcat.tee and inspect the output from the hacked server.