ASTU is a fictional command used in Mr.Robot TV series. He use this command to restore the hacked server. The command used in Mr.Robot TV series while fixing server are
At 30:20 minute in Mr.Robot TV series.
eterm##$ locate server WBKUW300PS345672
eterm##$ ps aux | grep root
eterm##$ ps aux | grep root | cpuset
eterm##$ astu trace -pid 344 -cmd
eterm##$ astu -ls ./root/fsociety/ -a
eterm##$ fsociety00.dat
Above commands were used by Elliot to restore the server. Among all the above commands, only ps and locate is a real Unix command. PS command is used to list the running process. According to the series, there was a rootkill running in the server. He use ps command to find out the list of running process under root user. He finds out fsociety00.dat is process that made the downtime of server.
Locate command is used to search file in your filesystem. It searches for files only in the path located in /var/lib/mlocate/mlocate.db database file.
grep isnt a unix command?
ReplyDeleteOf Course grep is a unix command. So does cpuset.
DeleteVery interesting, thanks :)
ReplyDeleteIt's not rootkill, it's rootkit.
ReplyDeleteA decent rootkit would not have shown up in the process list, as the ps command would have been replaced to hide the hacker's activity. I'm guessing fsociety wanted Elliott to find that pid.
ReplyDeleteGuess you where wrong lol Elliot IS fsociety
DeleteAgree with Mr Hebert..
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThe fact rootkill is used instead of rootkit discredits this article entirely.
ReplyDeletea good security guy would come with his own toolkit to avoid this kind of ps replacement stuff. anyway you can always scan /proc with a bash script.
ReplyDeleteatsu could easily be a real unix command we just dont know what it is. Its just an arbitrary unknown program. After all there are commands that have to be unix, lots of them are just there by convention as they are generally useful
ReplyDeleteElliot, as the diligent guy he is, would have used trusted binaries on a separate PATH rather than relying on the default ones on a rooted machine.
ReplyDeleteI imagine setting a PATH wasn't as exciting and was left out :)
atsu could have been an alias.
ReplyDeleteIt's an alias. He used a shred followed by a rm. Or a custom shred to override hundreds of time the file to make it unrecoverable.
ReplyDelete