文章总结： 文档模拟IronShadeAPT攻击Linux服务器的应急响应场景。分析需识别后门账户、自启动Cronjob、隐藏进程.strokes及可疑服务。调查发现攻击源自IP10.11.75.247，存在多次失败登录及恶意软件包。核心任务是通过日志、进程和服务配置进行完整的入侵足迹分析。 综合评分： 78 文章分类： 应急响应,威胁情报,CTF

IronShade

原创

漫路修行

微痕鉴远

2026年1月4日 12:33 广东

Incident Scenario

Based on the threat intel report received, an infamous hacking group, IronShade, has been observed targeting Linux servers across the region. Our team had set up a honeypot and exposed weak SSH and ports to get attacked by the APT group and understand their attack patterns.

You are provided with one of the compromised Linux servers. Your task as a Security Analyst is to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Some threat reports indicate that one indicator of their attack is creating a backdoor account for persistence.

What is the Machine ID of the machine we are investigating?

What backdoor user account was created on the server?

What is the cronjob that was set up by the attacker for persistence?

@reboot /home/mircoservice/printer_app

Examine the running processes on the machine. Can you identify the suspicious-looking hidden process from the backdoor account?

.strokes

How many processes are found to be running from the backdoor account’s directory?

2

What is the name of the hidden file in memory from the root directory?

What suspicious services were installed on the server? Format is service a, service b in alphabetical order.

systemctl list-unit-files --type=service | grep enabled

根据错误日志、ExecStart参数、创建日期等找到。

Examine the logs; when was the backdoor account created on this infected system?

From which IP address were multiple SSH connections observed against the suspicious backdoor account?

10.11.75.247

How many failed SSH login attempts were observed on the backdoor account?

8

Which malicious package was installed on the host?

What is the secret code found in the metadata of the suspicious package?

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《IronShade》