Your monitoring system flagged abnormally high CPU usage (98%) on production server (app-server-02) at 15:22 UTC on November 28, 2025. The server is running Ubuntu 22.04 and normally operates at 15-20% CPU. Your mission is to analyze system logs to identify the source of resource consumption and determine if the system has been compromised.
⚠️ SYNTHETIC SCENARIO
All log data, process names, cron jobs, and network addresses in this challenge are synthetically generated for training purposes. No real malware samples or C2 servers are represented.
Available Artifacts
/var/log/syslog – System events, cron jobs, and process spawning
/var/log/cron.log – Scheduled task execution history
ps aux output – Running process snapshot
Interactive Terminal – Run grep/awk commands to analyze logs
Learning Objectives
Detect cryptocurrency miners through resource anomalies
Congratulations! You've successfully identified the cryptominer infection and traced its persistence mechanism.
You earned 900 XP and unlocked 9 badges.
Understanding Cryptocurrency Miners
Cryptocurrency miners are malicious programs that hijack system resources (CPU/GPU) to mine cryptocurrency for attackers. They're one of the most common post-exploitation activities and can degrade performance, increase costs, and indicate deeper compromise.
🪙 How Cryptominers Work
Goal: Use victim's computational power to solve cryptographic puzzles and earn cryptocurrency (usually Monero due to its privacy features).
Impact: Extreme CPU usage (often 90-100%), increased electricity costs, hardware wear, degraded application performance, and potential system crashes.
Stealth Tactics: Miners often disguise themselves as system processes (kworker, systemd), run with low priority to avoid detection, and throttle during active use.
📄 /var/log/syslog
Purpose: General system messages including kernel events, daemon logs, cron job execution, and process spawning.
Why It's Critical: Shows when suspicious processes started, what spawned them, and any anomalous system behavior. Cron entries reveal persistence mechanisms.
⏰ /var/log/cron.log
Purpose: Logs all cron job executions, including user, command, and timing.
Why It's Critical: Attackers often use cron for persistence. Unusual cron jobs (especially for non-admin users) indicate compromise.
Common Miner Indicators
🚨 Process Indicators
High CPU usage (80-100%)
Suspicious process names (xmrig, minerd)
Hidden directories (/tmp, /dev/shm)
Randomized binary names (e.g., kswapd0)
Running from unusual paths
⏰ Persistence Methods
Cron jobs (@reboot, */5 * * * *)
Systemd services
rc.local / init scripts
Bash profile modifications
Auto-restart on crash
🌐 Network Indicators
Connections to mining pools
Stratum protocol (port 3333, 4444)
TLS connections to unknown IPs
Domain names with "pool" or "mine"
📂 File System Artifacts
Config files with pool addresses
Downloaded from pastebin/github
Executable in /tmp or /dev/shm
Modified crontabs
Investigation Commands
# Find high CPU processes
ps aux --sort=-%cpu | head -10
# Check cron jobs for all users
grep "CRON" /var/log/syslog
# Check network connections
netstat -antp | grep ESTABLISHED
Evidence Review
🔍
📄 /var/log/syslogClick lines to tag as evidence
⏰ /var/log/cron.log
🖥️ ps aux (Running Processes)
📌 Evidence Locker
No evidence tagged yet. Click log lines to add them.
Interactive Terminal
Run bash commands to analyze the logs. Available: cat, grep, wc, awk, sort, uniq, ps, clear, help
analyst@blueteam:~$Terminal ready. Type 'help' for available commands.
analyst@blueteam:~$
Investigation Tasks
Tasks Completed: 0 / 9
✓ Correct Answer:
kswapd0
The malicious process is named "kswapd0" - a typo-squatting technique mimicking the legitimate Linux kernel swap daemon "kswapd". Look for it in ps aux output consuming 98% CPU.
✓ Correct Answer:
98.2
The kswapd0 process shows 98.2% CPU usage in the ps aux output - an abnormally high value indicating cryptocurrency mining activity.
✓ Correct Answer:
8934
PID 8934 is assigned to the malicious kswapd0 process. This can be used to kill the process and trace its parent process.
✓ Correct Answer:
/tmp/.system/kswapd0
The miner is running from /tmp/.system/kswapd0 - a hidden directory in /tmp. Attackers use /tmp because it's writable by all users and often not monitored closely.
✓ Correct Answer:
www-data
The process runs as "www-data" (web server user), indicating the attacker likely gained initial access through a web application vulnerability before escalating to install the miner.
✓ Correct Answer:
@reboot
The cron job uses "@reboot" which executes the miner automatically every time the system restarts - ensuring persistence across reboots.
✓ Correct Answer:
raw.githubusercontent.com
The miner was downloaded from raw.githubusercontent.com (GitHub raw file hosting). Attackers abuse legitimate services to evade detection and blend in with normal traffic.
✓ Correct Answer:
xmr-pool.trustmining.org
The miner connects to xmr-pool.trustmining.org:3333 (Monero mining pool). Blocking this domain/IP prevents the miner from submitting work and earning cryptocurrency.
✓ Correct Answer:
T1496
T1496 = Resource Hijacking. This technique involves leveraging system resources for cryptocurrency mining, cloud computing, or distributed computing without authorization.
XP: 0 / 900
Attack Analysis & Incident Summary
This section auto-fills once all tasks are completed correctly.
Investigation:Review web server logs for initial access vector, check for other backdoors
Long-term:Implement resource monitoring alerts, harden web application, regular vulnerability scanning
Why This Attack Succeeded
The cryptominer successfully infected the system because:
1. Initial access likely through web application vulnerability (running as www-data)
2. /tmp directory allowed execution of downloaded binaries
3. www-data user could create cron jobs for persistence
4. No outbound firewall rules blocking unknown mining pool connections
5. Lack of CPU/resource usage alerting for early detection