Looking for Malware on Linux Systems

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Beginner

In this lab, we'll be investigating a possible malware infection on an Ubuntu Linux host. We'll be looking for specific data points and will document them in a file on the host. Then we'll export the syslog data to a text file for later analysis.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Identifying Malware on Linux Systems

Introduction

In this lab, we'll be investigating a possible malware infection on an Ubuntu Linux host. We'll be looking for specific data points and will document them in a file on the host. Then we'll export the syslog data to a text file for later analysis.

Setting Up the Environment

We will connect to our lab server using VNC. The IP address and login credentials are provided on the lab instructions page.

VNC connections will be different for each operating system.

For Mac users:

  1. Open Finder.
  2. Press Command + K on your keyboard to bring up the Connect to Server window.
    • Alternatively, expand Go in the menu at the top of the screen and click Connect to Server.
  3. In the Connect to Server window, connect to vnc://<IP_ADDRESS>:5901, making sure to replace <IP_ADDRESS> with the IP address you were provided in the hands-on lab instructions.

Document the Required Data Points

  1. Open the Gedit text editor, and write the following:
    • CPU Process:
    • Mem Process:
    • Percentage of Used Disk Space on /dev/xvda1:
    • Remote Username for Active Connections:
    • Remote IP of Active Connections:
  2. Open your terminal application.
  3. Open the system performance interface.
    sudo top
  4. Enter your password at the prompt.
  5. Press Shift + P to filter by CPU utilization.
  6. Locate the process using the most CPU resources. (Wait a few moments to make sure nothing changes.)
  7. In the Gedit document, write the name, CPU utilization percentage, and PID of the process using the most CPU resources.
  8. In your terminal, press Shift + M to sort by memory utilization.
  9. Locate the process using the most memory resources. (Wait a few moments to make sure nothing changes.)
  10. In the Gedit document, write the name, memory utilization percentage, and PID of the process using the most memory resources.
  11. In your terminal, press Ctrl + C to exit top.
  12. List the disk space statistics for the server.
    sudo df -h
  13. Locate the percentage of used disk space for /dev/xvda1, and write it in the Gedit text document.
  14. List the active connections to the server.
    sudo w
  15. Locate the username of the active connection, and write it in the Gedit text document.
  16. List the network status information.
    sudo netstat -a
  17. Locate the ESTABLISHED connection.
  18. Locate the remote IP address of the device that is connected to the server, and write it in the Gedit text document.
  19. In the Gedit text document, click File > Save As.
  20. Name the document "investigation.txt".
  21. Select the Desktop as the save location, and click Save.

Export the Syslog Data to a File

  1. In your terminal, run the following command:
    sudo cat /var/log/syslog > /home/cloud_user/Desktop/syslog.txt
  2. A file called syslog.txt should appear on your desktop.
  3. Open the file and verify that it contains the syslog data.

Conclusion

Congratulations, you've successfully completed this hands-on lab!