System Resource Anomalies
System Resource Anomalies
top<span><span><span># Real-time monitoring of CPU/memory, press P to sort by CPU (watch for suspicious processes with >70% usage)</span></span></span><span><span><span>htop</span></span></span><span><span><span># Enhanced version of top, supports mouse interaction (convenient for finding mining processes)</span></span></span><span><span><span>uptime</span></span></span><span><span><span># View system uptime (abnormal reboots may indicate an attack)</span></span></span><span><span><span>free</span></span></span><span><span><span>-h</span></span></span><span><span><span># Memory/swap usage (OOM may trigger abnormal processes)</span></span></span><span><span><span>df</span></span></span><span><span><span>-h</span></span></span><span><span><span># Disk space (watch for abnormal usage in /tmp and other temporary directories)</span></span></span>
Process Behavior Anomalies
ps aux | awk '{print $2,$11}' | sort -nrk1 # List processes and commands in reverse order by PID (check for viruses disguised as systemd)
lsof -i :22 # View connections on port 22 (locate SSH brute force sources)
netstat -antp | grep ESTABLISHED # Track C2 communications (focus on foreign IPs)Account / Log Anomalieslast -i | grep -v 0.0.0.0 # Login records from non-local IPs (high incidence of brute force attacks)cat ~/.bash_history | grep -i ‘wget|curl|ssh’ # Investigate attack history (downloads, SSH tunnels)grep :0 /etc/passwd # Check for privileged users (watch for non-root accounts with UID=0)Terminate Malicious Processespstree -p 1234 # View process tree (find daemon process chains)kill -9 1234 # Force termination (use lsof -p 1234 to confirm no residual files)Locate and Delete Virus Filesls -l /proc/1234/exe # View the real path of the process (watch for hidden files like /tmp/.xxx)rm -f /path/to/malicious # Delete file (backup first, move important files to quarantine)Startup Item Investigationsystemctl list-unit-files –state=enabled # View services that start on boot (check for strange .service files) crontab -l -u root # System-level scheduled tasks (watch for curl/wget executed at night)ls -alh /etc/cron.daily # Check daily tasks (note newly added .sh scripts)System File Verificationfind / -perm -4000 -o -perm -2000 2>/dev/null # Find SUID/SGID files (prevent privilege escalation)rpm -Va # Check RPM package integrity (for CentOS, modified files will be marked in red)md5sum /bin/ps /bin/top # Compare with official hashes (watch for replaced system commands)
Hidden Backdoor Scanning
ls -laR /root/.ssh # Check authorized_keys (prevent SSH persistence backdoors)ip link | grep PROMISC # Network card promiscuous mode (risk of sniffers)lsmod | grep -i ‘hack|backdoor’ # Abnormal kernel modules
Network Protection
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH –rsource # SSH brute force protectioniptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 5 –name SSH –rsource -j DROPConsidering the complexity of the commands, I would like to recommend this automation program for one-click query deploymentSystem Toolset (network, system, junk cleaning, etc.)