Scribd
Upload
150 views

Linux Compromise Assessment Command Cheat Sheet: The Big Five Directories Users

This document provides a cheat sheet of Linux commands that can be used to assess if a system has been compromised. It lists processes, directories, files, users and logs that should be checked, along with specific commands to find anomalies or signs of intrusion in each of these areas. Some key things to check include open ports and sockets, SUID/SGID files, recently modified files, logs with unusual content, and scheduled tasks. The goal is to help identify unusual or suspicious activity that warrants further investigation.

Uploaded by

Petro Bondar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
150 views

Linux Compromise Assessment Command Cheat Sheet: The Big Five Directories Users

This document provides a cheat sheet of Linux commands that can be used to assess if a system has been compromised. It lists processes, directories, files, users and logs that should be checked, along with specific commands to find anomalies or signs of intrusion in each of these areas. Some key things to check include open ports and sockets, SUID/SGID files, recently modified files, logs with unusual content, and scheduled tasks. The goal is to help identify unusual or suspicious activity that warrants further investigation.

Uploaded by

Petro Bondar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Linux Compromise Assessment Command Cheat Sheet

The Big Five Directories Users


Processes • Directories • Files • Users • Logs Commonly targeted directories: Find all ssh authorized_keys files:
/tmp, /var/tmp, /dev/shm, /var/run,
 find / -name authorized_keys
Haste makes waste: /var/spool, user home directories History files for users:
echo "Don't Panic." List and delimit spaces, etc. in names: find / -name .*history
ls -lap History files linked to /dev/null:
Processes List all hidden directories: ls -alR / 2> /dev/null | grep .*history |

Large amounts of CPU/RAM: find / -type d -name ".*" grep null
top Look for UID 0/GID 0:
Process tree: Files grep ":0:" /etc/passwd
ps -auxwf Immutable files and directories: Check sudoers file:
Open network ports or raw sockets: lsattr / -R 2> /dev/null | grep "\----i" cat /etc/sudoers and /etc/group
netstat -nalp Find SUID/SGID files: Check scheduled tasks:
netstat -plant find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls crontab -l
ss -a -e -i -lg {} \; atq
lsof [many options] Files/dirs with no user/group name: systemctl list-timers --all
Deleted binaries still running: find / \( -nouser -o -nogroup \) -exec ls -lg

{} \; Logs
ls -alR /proc/*/exe 2> /dev/null |

grep deleted List all file types in current dir: Check for zero size logs:
Process command name/cmdline: file * -p ls -al /var/log/*
strings /proc/<PID>/comm Find executables anywhere, /tmp, etc.: Dump audit logs:
strings /proc/<PID>/cmdline find / -type f -exec file -p '{}' \; |
 utmpdump /var/log/wtmp
grep ELF
Real process path: utmpdump /var/run/utmp
find /tmp -type f -exec file -p '{}' \; |

ls -al /proc/<PID>/exe utmpdump /var/log/btmp
grep ELF
Process environment: last
Find files modified/created within last day:
strings /proc/<PID>/environ lastb
find / -mtime -1
Process working directory: Find logs with binary in them:
Persistence areas:
ls -alR /proc/*/cwd grep [[:cntrl:]] /var/log/*.log
/etc/rc.local, /etc/initd, /etc/rc*.d, /etc/modules, /etc/
Process running from tmp, dev dirs: cron*, /var/spool/cron/*
ls -alR /proc/*/cwd 2> /dev/null | grep tmp Package commands to find changed files:
ls -alR /proc/*/cwd 2> /dev/null | grep dev
 rpm -Va | grep ^..5.
debsums -c

www.sandflysecurity.com
@SandflySecurity

2018-11-21

You might also like