Scribd Logo
Upload

Welcome to Scribd!

  • Linsacheatsheet 1.4

    Uploaded by

    bhanu7709000365
    13 views2 pages
    Look in /etc / passwd for new accounts, especially with U!D 500. Look for orphaned files, which could be a sign of an attacker's temporary account. The following tools are often not built into the linux operating system.

    Original Description:

    Original Title

    linsacheatsheet_1.4

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Look in /etc / passwd for new accounts, especially with U!D 500. Look for orphaned files, which could be a sign of an attacker's temporary account. The following tools are often not built into the linux operating system.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views2 pages

    Linsacheatsheet 1.4

    Uploaded by

    bhanu7709000365
    Look in /etc / passwd for new accounts, especially with U!D 500. Look for orphaned files, which could be a sign of an attacker's temporary account. The following tools are often not built into the linux operating system.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Unusual Accounts Additional Supporting Tools

    ' $ Linux
    $
    # sort –nk3 –t: /etc/passwd | less SANS Institute
    ( "
    ) *
    !!" "

    # ! Purpose
    # grep :0: /etc/passwd & #
    ! "' $
    $ & # $
    % " "
    "
    # find / -nouser -print
    + How To Use This Sheet
    Unusual Log Entries , ,
    1 2
    $ $ - . , " " $" $ $3 $
    * $ 4 *
    • 9 : ' $ $ ")
    • $ $ , " " $, "
    , "
    2"$" "3 • 5 & *
    • - 5 + 2 3 $ • 6
    $ $ 2
    ; <!3 # ) $ • $
    $ 2 =5>,=5>, " " " / " " • & '
    =5>,=5>,=5>,=5>,=5>,=5>3 • #
    • 6 $ * $ ' + & • $)
    # $ $9 : • 1
    $$ • # & $'
    • -
    " " $"
    If you spot anomalous behavior: DO NOT PANIC!
    Other Unusual Items
    ' 0 & * 7 *
    & $$ "5 8 $'
    $
    $ uptime ? 9 * $: $ "
    * " , " $"
    ) * $ free
    & *
    $ df
    Unusual Processes and Services Unusual Files Continued Unusual Network Usage Continued

    $ $ $ '+5 5
    # ps aux * 2" " ( 3" # # netstat –nap
    $ $
    A 9 : " A $ $
    " 6 # lsof +L1
    2 !3 * $ " # lsof –i
    1 -5> 2- 8
    * $ > "3 -5> * $ ' 4 $ '+5
    $ @ rpm –Va | sort 5 $
    # lsof –p [pid] ' ( > " * "
    $ -5>
    ' $ " 1 #-5 $5
    $ " &? 6 ( >#+ % #
    >? > 2 3 # arp –a
    ?>
    $
    ? *
    * * * ' 4 $
    ?
    # chkconfig --list ? #" 1
    A? $ ( # 2 >B3
    '? 5 "
    Unusual Files 5 $
    "
    & Unusual Scheduled Tasks
    # find / -uid 0 –perm -4000 –print
    * F
    ' 4 $ & "
    , check-packages " !
    $ 2$ C! Unusual Network Usage
    > $0 3 # crontab –u root –l
    # find / -size +10000k –print $
    ' 4 $ $ " , F

    # ip link | grep PROMISC # cat /etc/crontab


    2D
    """DD
    "" DD
    "D DD3 $ # ls /etc/cron.*
    # find / -name “ “ –print $ %
    # find / -regex '.+[^A-Za-z0- $ <"E
    9(+=_-/.,!@#$%^&*~:;)]' -print
    D D $ "
    F

    You might also like