Wednesday, June 10, 2015

astu command in Linux

ASTU is a fictional command used in Mr.Robot TV series. He use this command to restore the hacked server. The command used in Mr.Robot TV series while fixing server are

At 30:20 minute in Mr.Robot TV series.

eterm##$ locate server WBKUW300PS345672
eterm##$ ps aux | grep root
eterm##$ ps aux | grep root | cpuset
eterm##$ astu trace -pid 344 -cmd
eterm##$ astu -ls ./root/fsociety/ -a
eterm##$ fsociety00.dat

Above commands were used by Elliot to restore the server. Among all the above commands, only ps and locate is a real Unix command. PS command is used to list the running process. According to the series, there was a rootkill running in the server. He use ps command to find out the list of running process under root user. He finds out fsociety00.dat is process that made the downtime of server.

Locate command is used to search file in your filesystem. It searches for files only in the path located in /var/lib/mlocate/mlocate.db database file.
Posted by at

15 comments:

  1. UnknownJune 15, 2015 at 5:56 PM

    grep isnt a unix command?

    ReplyDelete
    Replies
    1. CreatorJune 16, 2015 at 4:47 AM

      Of Course grep is a unix command. So does cpuset.

      Delete
  2. ArminJuly 3, 2015 at 12:06 PM

    Very interesting, thanks :)

    ReplyDelete
  3. UnknownAugust 8, 2015 at 8:17 PM

    It's not rootkill, it's rootkit.

    ReplyDelete
  4. MyrmidonAugust 12, 2015 at 12:39 AM

    A decent rootkit would not have shown up in the process list, as the ps command would have been replaced to hide the hacker's activity. I'm guessing fsociety wanted Elliott to find that pid.

    ReplyDelete
    Replies
    1. UnknownJanuary 9, 2016 at 4:11 PM

      Guess you where wrong lol Elliot IS fsociety

      Delete
  5. UnknownAugust 23, 2015 at 7:18 PM

    Agree with Mr Hebert..

    ReplyDelete
  6. UnknownAugust 25, 2015 at 7:35 AM

    This comment has been removed by the author.

    ReplyDelete
  7. UnknownAugust 25, 2015 at 7:41 AM

    This comment has been removed by the author.

    ReplyDelete
  8. v1ncen7August 29, 2015 at 1:27 PM

    The fact rootkill is used instead of rootkit discredits this article entirely.

    ReplyDelete
  9. דניאל דורוןSeptember 3, 2015 at 12:13 PM

    a good security guy would come with his own toolkit to avoid this kind of ps replacement stuff. anyway you can always scan /proc with a bash script.

    ReplyDelete
  10. chris scottOctober 20, 2015 at 6:04 AM

    atsu could easily be a real unix command we just dont know what it is. Its just an arbitrary unknown program. After all there are commands that have to be unix, lots of them are just there by convention as they are generally useful

    ReplyDelete
  11. UnknownOctober 28, 2015 at 4:27 PM

    Elliot, as the diligent guy he is, would have used trusted binaries on a separate PATH rather than relying on the default ones on a rooted machine.

    I imagine setting a PATH wasn't as exciting and was left out :)

    ReplyDelete
  12. JoeyDecember 30, 2015 at 9:20 AM

    atsu could have been an alias.

    ReplyDelete
  13. UnknownJune 6, 2016 at 12:48 PM

    It's an alias. He used a shred followed by a rm. Or a custom shred to override hundreds of time the file to make it unrecoverable.

    ReplyDelete

Subscribe to: Post Comments (Atom)