Looking for Malware on Linux Systems

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

In this lab, we’ll be investigating a possible malware infection on an Ubuntu Linux host. We’ll be looking for specific data points and will document them in a file on the host. Then we’ll export the syslog data to a text file for later analysis.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Document data points provided by your supervisor.
  1. Open Gedit to provide a place to save your findings.
  2. Run the command sudo top to open the system performance interface.
  3. Type the letter P to sort by processor utilization. Document the process using the most processor resources.
  4. Type the letter M to sort by memory utilization. Document the process using the most memory resources.
  5. Type Ctrl+c to exit top
  6. Run the command sudo df -h to list out disk space statistics for the server. Identify the percentage of used disk space for /dev/xvda1 and record it.
  7. Run the command sudo w to list active connections to the server. Identify the username of the active connection and record it.
  8. Run the command sudo netstat -a and identify the ESTABLISHED connection. Record the remote IP address of the device connecting to the server.
  9. From within Gedit, save the document on the Desktop as investigation.txt.
Export syslog data to a file.

Run the following command: sudo cat /var/log/syslog > /home/cloud_user/Desktop/syslog.txt

Additional Resources

One of your organization's servers has been compromised, and your supervisor has asked you to check another server to see if you can identify anything strange that would indicate it has been compromised as well. You are to document your findings in a text file named investigation.txt on the Desktop of the server. The data that needs collecting is:

  1. Name of the process using the most CPU, the amount of CPU being used by the process, and it's PID
    • Name of the process using the most memory, the amount of memory being used by the process, and it's PID
    • Percentage of free disk space on /dev/xvda1
    • Identify any active connections to the host and list the usernames used to connect
    • Identify any active connections and list the remote IP address of the hosts connecting to the server
    • Use the following format in the investigation.txt file:
      1. CPU Process: name, cpu amount, PID#
      2. Mem Process: name, mem amount, PID#
      3. Percentage of used disk space on /dev/xvda1: ##%
      4. Remote username for active connections: username
      5. Remote IP of active connections: x.x.x.x
    • Lastly, you'll need to export the syslog data on the server to a file named syslog.txt on the Desktop of the server.

Connecting to the lab:

  1. Use VNC on your computer to connect to the public IP address of the instance on port 5901 (x.x.x.x:5901).
  2. Log in with the username and password generated by the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?