Vulnarex | Elite Cybersecurity Learning Platform

#Process Management and Monitoring#link

Every running program on Linux is a process. Understanding how to view, manage, and monitor processes is critical for security professionals. During incident response, the first question is often 'what is running on this system?' Malware, backdoors, cryptominers, and unauthorized services all appear as processes. This lesson teaches you how to find them.

Viewing Running Processes

Linux provides several tools to inspect running processes. Each offers different levels of detail and is useful in different scenarios.

Process Viewing Commands

root@vulnarex:~## Classic process listing ps aux # Process tree (shows parent-child relationships) ps auxf # Top-like interactive viewer top # Enhanced top (install htop for better UI) htop # Show processes for a specific user ps -u www-data # Show full command lines (important for spotting obfuscated commands) ps auxww # Show process with specific PID details ps -fp 1234

Process Tree Analysis

Understanding parent-child process relationships is crucial for identifying malicious activity. Legitimate processes have expected parents. A web server spawning a shell is suspicious. An unknown process with no parent (orphaned) is very suspicious.

Process Tree and Parent Analysis

root@vulnarex:~## Show process tree with PIDs ps -ef --forest # Show parent PID for all processes ps -eo pid,ppid,user,comm,args # Find all processes with a specific parent ps --ppid 1 # Show process ancestry for a specific PID pstree -p 2891 # Alternative: use /proc filesystem cat /proc/2891/status | grep -E "(Name|Pid|PPid|Uid)" # Check the actual executable path ls -la /proc/2891/exe # Check the command line used to start the process cat /proc/2891/cmdline | tr '\0' ' '

STRICT SECURE AUDIT RULE

⚠️ The python3 process above (PID 2891) is a red flag. It was spawned by sshd (PID 412), meaning someone connected via SSH and ran a Python one-liner. The command uses 'import socket,subprocess,os' — a classic reverse shell pattern. This is exactly the kind of anomaly you must catch during monitoring.

Network-Connected Processes

One of the most important security checks is identifying which processes have active network connections. This reveals listening services, outbound connections, and potential command-and-control channels.

Network Connection Analysis

root@vulnarex:~## Show all network connections with process info ss -tulnp # Show established connections only ss -tnp state established # Show which process is using a specific port lsof -i :4444 # Show all connections to a specific IP ss -tnp | grep 10.10.10.50 # Show listening sockets only lsof -i -sTCP:LISTEN # Continuous monitoring (like netstat -c) watch -n 2 'ss -tulnp'

info

💡 The combination of ss -tulnp and lsof -i is your go-to for identifying suspicious network activity. Look for: unexpected listening ports, processes connecting to unknown external IPs, and processes that should not have network access (like text editors or compilers).

Process Resource Monitoring

Resource abuse is a common indicator of compromise. Cryptominers consume CPU. Memory-resident malware consumes RAM. Monitoring resource usage helps detect these threats.

Resource Monitoring Commands

root@vulnarex:~## CPU and memory usage per process ps aux --sort=-%cpu | head -10 ps aux --sort=-%mem | head -10 # Real-time CPU monitoring mpstat 1 5 # Memory usage overview free -h # Disk I/O per process (install iotop) sudo iotop -o # Check for processes using excessive CPU ps aux | awk '$3 > 50.0 {print $0}' # Check for hidden processes (compare ps with /proc) ps -eo pid | sort -n > /tmp/ps_pids ls /proc/ | grep -E '^[0-9]+$' | sort -n > /tmp/proc_pids comm -23 /tmp/proc_pids /tmp/ps_pids

Killing and Managing Suspicious Processes

When you identify a malicious process, you need to terminate it — but carefully. Simply killing a process may trigger persistence mechanisms. Always investigate before killing.

bash

# Process termination escalation:

kill 2891          # Graceful termination (SIGTERM)
kill -15 2891       # Same as above, explicit
kill -9 2891        # Force kill (SIGKILL) — use if SIGTERM fails
kill -9 -1          # ⚠️ KILL ALL PROCESSES (including yourself!)

# Kill by name
killall python3     # Kill all python3 processes
pkill -f "reverse" # Kill processes matching a pattern

# Before killing, capture forensic evidence:
cat /proc/2891/cmdline | tr '\0' ' ' > /tmp/evidence_2891.txt
ls -la /proc/2891/exe > /tmp/exe_2891.txt
cp /proc/2891/exe /tmp/malware_sample_2891 2>/dev/null
ss -tnp | grep 2891 > /tmp/connections_2891.txt

# Then kill
kill -9 2891

callout

In a real incident response scenario, do NOT immediately kill the malicious process. Instead, isolate the system from the network (pull the cable or disable the interface), then capture memory, disk images, and process details before terminating anything. Killing the process destroys volatile evidence.

quiz BLOCK (★ 50 XP)

You notice a process named 'python3' running at 98% CPU, spawned by sshd, with an outbound connection to 10.10.10.50:4444. What is the MOST likely explanation?

Select your proof vectors above