Detecting and Recovering Linux System Intrusions: Log Checks & File Restoration
This guide explains how to identify signs of a Linux system intrusion by examining key logs, verifying user account files, monitoring login events, analyzing network traffic, and using lsof to recover deleted security logs, providing step‑by‑step command examples for each task.
1. Intruder may delete machine log information
You can check whether log files still exist or have been cleared; example commands are shown.
2. Intruder may create a new file storing usernames and passwords
Inspect /etc/passwd and /etc/shadow files; example commands are provided.
3. Intruder may modify username and password files
Examine the contents of /etc/passwd and /etc/shadow to detect changes; example commands are included.
4. View recent successful login events and the last unsuccessful login
Check the "/var/log/lastlog" file; example commands are shown.
5. View all currently logged‑in users
Inspect the "/var/run/utmp" file; example commands are provided.
6. View users who have logged in since the machine was created
Check the "/var/log/wtmp" file; example commands are included.
7. View connection time (hours) for all users
Again, refer to the "/var/log/wtmp" file; example commands are given.
8. If abnormal traffic is observed
Use the "tcpdump" command to capture packets or the "iperf" tool to analyze traffic.
9. Examine the /var/log/secure log file
Attempt to discover intrusion details; example commands are listed.
10. Identify scripts associated with suspicious processes
a. Use the top command to find the PID of the suspicious process. b. Locate the executable file in the virtual filesystem.
11. Recover deleted important files after a confirmed intrusion
When a process has an open file descriptor to a deleted file, the file remains on disk and can be accessed via the descriptor.
The /proc directory contains in‑memory representations of processes; each PID directory holds information such as open file descriptors, which tools like lsof can display.
If a file is deleted while still open, its contents can be recovered from the corresponding descriptor using lsof and the /proc filesystem.
Assuming the attacker deleted /var/log/secure, you can recover it by:
a. Verify the file is missing. b. Use lsof to see if any process still has it open. c. Identify the PID (e.g., 1264 for rsyslogd) and file descriptor (e.g., 4) that holds the deleted file. d. Read the file via /proc/1264/fd/4 and redirect the output to a new file. e. Confirm that /var/log/secure is restored.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.