Author: Vlad Roskov (@mrvos)
We recently noticed that there is some abnormal activity on our lab server, which is not being reflected in authentication logs. We suspect it might result from some unauthorized access.
The forensic professionals we hired had some progress, and even got in touch with Interpol, but then somehow they stopped responding. We still don't know what it was, and who might be the perpetrator.
Can you glance at the server too? We need the crook's real name.
ssh hackedagain@109.233.57.94
Password: FXujp85X
Oh, Interpol also got us this: c2_log_2020-07-24.log. No idea what that is though.
Artyom Kadushko, [25.07.20 18:22]
Is this ip is a part of chall? http://35.242.197.71/
(Taken from c2_log_2020-07-24.log)
Vlad Roskov, [25.07.20 18:22]
yes
Hint at 20:00 — You definitely need to lay your hands on the malware author's private docs... perhaps that contains his true identity. Looks like there are two bots in the botnet left: you, and the initial one that the backdoor was tested on!
Vladas, [25.07.20 20:53]
should c2 be down in "hacked again"?
Vlad Roskov, [25.07.20 20:54]
yes