Comprehensive Linux Intrusion Detection Checklist: Spot Hackers Fast

Linux Hacker Intrusion Detection Checklist (Full)

Check Accounts

Check for newly added users.

Check for accounts with UID and GID of 0 (UID 0 means root privileges).

Identify users that have root privileges.

Check the modification dates of user files.

Check for users with empty passwords (the second line of the password file being non‑empty indicates a password).

Check Logs

Logs are crucial for security; they record daily system events and can reveal error causes or attacker traces. Main functions include audit and monitoring, real‑time system status tracking, and intruder tracing.

View the last 10 lines of logs.

View current logs.

View all open ports.

View recent user login times.

View login failure records.

View each user's last login information.

Check Processes

List all processes, paying special attention to those with UID 0.

Check files opened by a process (use -p followed by the PID).

Inspect daemon files.

Check startup processes.

Check System

Inspect files for creation time, integrity, and path to detect modifications on compromised websites.

Search for files owned by root.

Find files larger than 10 MB.

Check Scheduled Tasks

View root's scheduled tasks.

Examine scheduled task configuration files.

Check Historical Command Tasks

Inspect the .bash_history file in the user's home directory or use the history command.