Debug School

rakesh kumar
rakesh kumar

Posted on

list out the all command to indicators to consider to identify suspicious remote hacking activity

Identifying suspicious remote hacking activity on a Linux server requires vigilance and the ability to recognize various indicators. Here's a list of indicators to consider along with commands or tools to investigate them:

Unusual Network Traffic:

Monitor network traffic for unusual patterns or unexpected connections.

sudo tcpdump -i eth0 -n -nn
sudo netstat -tuln
Enter fullscreen mode Exit fullscreen mode

Failed Login Attempts:

Check for repeated failed login attempts, especially for privileged accounts.

sudo tail -n 100 /var/log/auth.log
sudo grep "Failed password" /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

Unexpected Processes:

Look for unfamiliar or suspicious processes running on the server.

sudo ps aux
sudo top
Enter fullscreen mode Exit fullscreen mode

Check Process Tree:

Examine the process tree to see parent-child relationships.

pstree
Enter fullscreen mode Exit fullscreen mode

Monitor Process Creation:

Watch for new processes being created in real-time.

watch 'ps aux'
Enter fullscreen mode Exit fullscreen mode

Identify Parent Processes:

Look for unusual parent processes spawning new ones.

ps -eo pid,ppid,cmd --sort=-%cpu | head
Enter fullscreen mode Exit fullscreen mode

Check Process Start Times:

Review the start times of processes for anomalies.

ps -eo pid,ppid,cmd,lstart --sort=start_time
Enter fullscreen mode Exit fullscreen mode

Investigate Suspicious Processes:

Examine suspicious processes in detail.

sudo lsof -p <PID>
Enter fullscreen mode Exit fullscreen mode

Monitor System Logs:

Review system logs for process-related events.

tail -n 100 /var/log/syslog
tail -n 100 /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

Look for Process Listening on Network Ports:

Check for processes listening on unusual network ports.

sudo netstat -tulnp
Enter fullscreen mode Exit fullscreen mode

Analyze Process Executable Paths:

Examine the paths of process executables for irregularities.

sudo ls -l /proc/<PID>/exe
Enter fullscreen mode Exit fullscreen mode

Check Process Environment Variables:

Review environment variables of suspicious processes.

sudo cat /proc/<PID>/environ
Enter fullscreen mode Exit fullscreen mode

Inspect Open Files and Network Connections:

Investigate open files and network connections of suspicious processes.

sudo lsof -p <PID>
sudo netstat -atunp | grep <PID>
Enter fullscreen mode Exit fullscreen mode

Rootkit Detection:

Scan for rootkits to detect any unauthorized modifications.

sudo rkhunter --check
sudo chkrootkit
Enter fullscreen mode Exit fullscreen mode

Unusual File Changes:

Monitor for unauthorized modifications to critical system files.

sudo find / -mtime -1 -type f
sudo tripwire --check
sudo aide --check
Enter fullscreen mode Exit fullscreen mode

Anomalies in System Logs:

Review system logs for any unusual or unexpected entries.

sudo tail -n 100 /var/log/syslog
Enter fullscreen mode Exit fullscreen mode

Spike in Resource Usage:

Look for sudden increases in CPU, memory, or disk usage.

sudo top
sudo iotop
Enter fullscreen mode Exit fullscreen mode

Unauthorized Access:

Check for unauthorized login sessions or access attempts.

sudo last
sudo w
Enter fullscreen mode Exit fullscreen mode

Unexplained Changes in User Accounts:

Review changes to user accounts, especially new or modified accounts.

sudo cat /etc/passwd
sudo cat /etc/shadow
Enter fullscreen mode Exit fullscreen mode

Abnormal Outbound Connections:

Investigate unexpected outbound connections from the server.

sudo netstat -tuln
Enter fullscreen mode Exit fullscreen mode

Rootkit Detection:

Scan for rootkits or unauthorized system modifications.

sudo rkhunter --check
sudo chkrootkit
Enter fullscreen mode Exit fullscreen mode

Security Alerts from IDS/IPS:

Monitor alerts from Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).

sudo service snort status
sudo service suricata status
Enter fullscreen mode Exit fullscreen mode

Unexpected Privilege Escalation:

Check for any unexpected changes in user privileges or roles.

sudo grep -i 'sudo' /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

Regularly monitoring these indicators can help identify suspicious remote hacking activity on your Linux server. It's crucial to establish proactive security measures and respond promptly to any detected anomalies to mitigate potential risks.

Top comments (0)