Essential Linux Incident Response Commands for Quick Security Investigations

Environment

Linux incidents most often involve CentOS or other command‑line only distributions, while Windows incidents usually target Windows Server.

Common Emergency Issues

Typical problems include cryptocurrency mining, malicious web shells (referred to as "spinach"), and occasional ransomware infections that may require decryption tools or a full system reinstall.

Investigation Workflow

Identify the problem → Resolve the issue → Write a report.

Process Inspection Commands

Basic commands to list and analyze processes:

top               # Continuously monitor process activity, useful for mining detection

ps -aef           # Show all processes with full details

ps -U root -u root -N   # Show non‑root processes

ps -u root       # Show processes owned by root

ps -ef | grep inetd   # Find suspicious inetd processes

ps -ef | awk '{print}' | sort -n | uniq > 1

ls /proc | sort -n | uniq > 2

pstree -p

User Activity Commands

who               # List currently logged‑in users

w                 # Show detailed user activity

who -m            # Show IP information of logged‑in users

last -n 5         # Show the last five login sessions

history 5         # Display the most recent five commands

awk -F: '($2=="")' /etc/shadow   # Find accounts with empty passwords

awk -F: '($3==0)' /etc/passwd    # List accounts with UID 0

grep -v -E "^#" /etc/passwd | awk -F: '$3==0{print $1}'   # Alternative way to list UID 0 accounts

Network Inspection Commands

netstat -lntp    # List listening TCP ports with associated processes

lsof -i :22      # Find which process is using port 22

lsof -i tcp      # Show all TCP connections

lsof -i udp      # Show all UDP connections

File Inspection Commands

ls -la           # List all files, including hidden ones, in long format

whereis filename # Locate binary, source, and manual pages for a file

find ./ -mtime 0   # Find files modified within the last 24 hours

find / -name "*.txt"          # Find all files ending with .txt

find / -iname "*.txt"         # Case‑insensitive search for .txt files

find / ! -name "*.txt"       # Find files that do NOT end with .txt

Conclusion

The article compiles numerous Linux/Windows incident‑response commands, providing a practical checklist for security engineers to quickly diagnose and remediate compromises.