This is an individual assignment. All work must be your own. You should not look at any other student's work (in whole or in part, on paper or on screen), nor allow anyone else to look at yours, during the course of this assignment.
Turn in your answers to these questions to Lab 2 in the CS Homework system. (Plain text -- strongly preferred only). Typed.
This lab will introduce you to more about command line interaction with Unix operating systems. All answers to questions below must be Unix shell commands. Answers that solve the given problems using GUI (Graphical User Interface) tools will receive no points.
Hint: 'man' is your friend. "man UnixCommandName" will provide a helper manual on how to use any Unix command. (Type "man UnixCommandName" at a Unix command prompt. Tap the space bar to move down in the manual, 'b' to move back up, and 'q' when you are done reading the manual.)
Hint 2: Material learned by working on this lab exercise will, of course, show up on future exams.
Open any UNIX-like terminal that you prefer. Recent versions of Apple's Mac OS are based on the Unix OS, so the 'Terminal' application available on any Mac in our department CS lab will be fine. Installing Cygwin on your own Windows machine could also give you a Unix-like environment on an otherwise Windows machine.
into the terminal you just opened. You should see the absolute path name of the 'ssh' command, if it is installed on the system you are using. You will need 'ssh', so if you see "Command not found", then move to a computer that has ssh installed.
Pretend you are a system administrator at a physically large facility. A user telephones you and says that they think their computer has been hacked, and malware files might be in their account. Your job is to help.
However, you are far away from the user's office, and you don't want the hacker (if they exist) to delete evidence of their invasion before you have time to walk across campus. (Or, perhaps, there is a pandemic occurring.)
You must log in to the user's computer remotely and use Unix commands to investigate. You may select hopper.csustan.edu, turing.csustan.edu, or one of the other available servers in our lab. Here is a list of those servers, plus their 'fingerprints', which the computers will present to you when you try to log in for the first time, so you can verify your computer has connected to the correct machine before you type your password.
(One way to steal passwords is to persuade people they are logging in to a familiar, safe machine when they are not. Checking fingerprints is a way to prevent this theft from happening - or at least to make the theft more difficult.)
Use your own CS student account to log in to a CS department server from the command line. You must NOT be sitting physically at that particular server when you do this.
The CS department server will be the "user's computer" in the following questions. Call whichever server you selected X.csustan.edu. (In all questions below, swap in the name of the actual machine you selected for X.)
#1: Explain what you did, exactly, to log into the CS department server? Provide exact command lines that you used in your answer.
Now that you have logged in as yourself, log out. ("exit" at the command prompt)
Log in to X.csustan.edu from the command line again. This time, log in as "the user". The user's login and password are here.
#2: Explain what you did, exactly, to log into the CS department server as the user? Provide exact command lines that you used in your answer.
(Do not ever share your real password. Real sysadmins don't need your password; they have their own. This user account will be deleted after Lab 2 is turned in, so sharing its password in your lab report is ok.)
Inside the "cs3750" folder in the user's account there is a folder named after your last name. (If your name has a hyphen or space in it, the folder name removes the hyphen or space in your last name. If your last name is Rodriguez -- there are two -- add the first and last letters of your first name to find your own folder.)
Inside the folder named after you, there is a file, hidden by the hacker. Your task is to find that file and read its contents. (See hint at top of section.)
After you read the file, give the computer a command to hide the file again.
#3: Explain what you did, exactly, to find the file, and how you were able to see its contents? How did you hide the file again after you read it? Provide exact command lines that you used in your answer. Also copy the contents of the file into your answer.
You are worried that the hacker may have left a program running on the user's machine. You suspect that the hacker's potential malware will either be using a lot of CPU time, or have a lot of threads running within it. Or the hacker's program will have the word "dococtopus" in the process name.
Figure out how to list all running processes on a computer with:
For the lists of CPU active processes and processes with many threads, bear in mind that some malware will not be active all the time, in order to hide better. So the commands you use to check for high CPU or thread usage should run continually, and update their information periodically. This would allow a system administrator to look for processes whose activity "spikes" every once in a while.
Note that the hacker may not be using the same user identifier as you are; you will need to look at all the processes on the system. You might need to use commands you learned in Lab 1, too.
#4: Explain what you did, exactly, to list the most CPU active processes. Provide exact command lines that you used in your answer.
#5: Explain what you did, exactly, to list the processes with the most threads. Provide exact command lines that you used in your answer.
#6: Explain what you did, exactly, to list only the proceeses with "dococtopus" in their process names. Provide exact command lines that you used in your answer.
You suspect that the hacker left behind a suspicious file in the user's home directory. However, you don't know the name of the file and, obviously, the hacker would not have put it somewhere obvious. You do suspect the file will be significantly larger (bigger file size) than anything else in the user's cs3750 folder.
Log in as the user, and use 'cd' to get into the cs3750 folder.
Using one of the Unix commands identified in this subsection title, take a look at the sizes of the data stored in all the folders in this folder. (This can be done with one Unix command. Discover it.) One folder will be much larger than the rest -- that is where the hacker left a suspicious file.
#7: Explain what you did, exactly, to find the file? Provide exact command lines that you used in your answer. Also identify the location of the file, its name, and how many bytes are in the file in your answer.
(If you are unable to find the file using a command line command, you may contact the professor to find out its location and complete #8.)
#8: Explain what you did, exactly, to find the word "dococtopus" within the file. Provide exact command lines that you used in your answer. Also include the contents of the line or lines within the file that contain the word "dococtopus".
(Note: The file is a real one, of email messages. However, most of the email addresses and human names in the file were changed.)
Turn in your answers to the questions in Lab 2 in the CS Homework system.