My Linux Jenkins server was compromised and a Rootkit was installed. I know this since a running process tells me the path Jenkins job is running and it includes a URL with path pointing to a Python script. On a different host I opened that script and found several scripts that attempt to install a Rootkit along with a destination URL to presumably tell them which Rootkit was successful.
I can see some questionable binaries under /tmp. I opened one of those binaries with a de compiler but I'm not sure what to look for.
So, what does one do in this situation to find out more about the attacker and possibly what the intent was?
Asking here since none of the books or articles I've read address those two questions. I do know I have to assume any data on that host was compromised. My goal is to learn more about the attacker and the attack.
Other info, I became aware when the network team noticed GBs of data outgoing from our Linux Jenkins host. They closed the port and we unplugged the host. The ip that the job is getting the Python script from appears to be coming from the US, but nothing more specific according to IP lookups. The destination IP is going to Jinan, China.
EDIT
I've updated the question Title as requested. This question specifically asks ways to find the attacker and maybe their goal. The provided answer as "previously answered" does not say anything about finding the attacker nor their goal, and this is why I do not think it's the same question.