Comprehensive Approach to Linux Hacker Intrusion Detection
Check accounts to see if there are any new users. Check if there are accounts with UID and GID equal to 0. A UID of 0 indicates root privileges. Check users with root privileges. Check the modification dates of user files. Check for users with empty passwords (the principle is that if the second line of the password file is not empty, there is a password). Check logs. Logs are very important for security as they record various events that occur in the system daily. You can use them to check the reasons for errors or traces left by attackers during an attack. The main functions of logs include: auditing and monitoring. They can also monitor system status in real-time, track intruders, etc. Check the last 10 lines of the log for current updates. Check all open ports. Check the recent login times of users. Check failed login records. Check the last login status of users. Check processes. View all processes, paying special attention to those with UID equal to 0. Check the files opened by processes (using -p followed by the PID). Check the files of daemon processes. Check boot startup processes. Check the system for files of compromised websites; there are usually files that have been modified, which can be checked by comparing file creation times, integrity, file paths, etc. Look for files owned by the root user. Check files larger than 10M. Check scheduled tasks. Check the scheduled tasks of the root user. Check the configuration files of scheduled tasks. Check command history tasks. Check the **.bash_history** file in the user’s home directory or use the **history** command.
Link: https://blog.csdn.net/weixin_46622350/article/details/117985398?spm=1001.2014.3001.5502 (Copyright belongs to the original author, please delete if infringed)