We’re going to look for a cryptominer. There’s a suspicious process that’s running on a production server.
Learning Objectives #
- Identify the CPU and memory usage of processes in Linux.
- Kill unwanted processes in Linux.
- Find ways a process can persist beyond termination.
- Remove persistent processes permanently.
Identifying the Process #
Linux have many ways to monitor system performance, one is top.
This command shows us a list of processes in reaal time with their usage. It’s a dynamic list meaning it changes with the resource usage of each process.
The top command also shows important information such as PID (Process ID), user, CPU usage, memory usage and the command or process name.
Killing the Culprit #
At the top of our top command output, we see a process running at 100% CPU. It’s a process named a.
If we wanted to perform forensics, we would take a memory dump of the process to analyse it further before killing it, as killing it would cause us to lose that information.
We can use the kill command to kill this process. But since the process is running as root, it’s a good idea to use sudo to elevate privileges for killing this process.
To kill a process: sudo kill <PID>
When killing the process in this room, it comes back on.
Checking the Cronjobs #
Cronjobs are tasks that we ask the computer to perform on our behalf at a fixed interval.
To check cronjobs, we run crontab -l.
Each user has their own cronjobs, meaning if we want to look at root’s running cronjobs, we need to elevate our privileges.
Check for Running Services #
To check for running services we run systemctl list-unit-files to list all running services.
Since the service we are looking for must be enabled to respawn the process, we use grep to give us only those servvices that are enabled.
systemctl list-unit-files | grep enabled
We find a suspicious service. To check on it, run systemctl status [redacted].
Getting Rid of the Service #
First we need to stop the service by running systemctl stop [redacted] as root.
Then we need to disable the service by running systemctl disable [redacted as root.
Now we can remove the files from the system.
We need the path to the files (shown when running systemctl status [redacted].
To permanently kill the service, we delete the two files from the path by running rm -rf /etc/systemd/system/a and rm -rf /etc/systemd/system/[redacted].
When running systemctl status [redacted you get an error telling that the service can’t be found.
To wrap things up, we reload our daemon by running systemctl daemon-reload.