Essential Linux Incident‑Response Commands for Quick Threat Detection

Introduction

Linux emergency response is a core focus in the security field, but the full‑command‑line interface can make troubleshooting cumbersome. This article consolidates practical notes and commands for handling typical incidents on CentOS 6 (Linux) and Windows Server 2008 (Windows).

Common Emergency Issues

Mining malware (cryptocurrency miners)

Webshells (often referred to as “菠菜” in Chinese)

Ransomware – check for decryption tools from 360, Tencent, etc.; if none, reinstall the system.

Basic Workflow

Receive the emergency directive and travel to the client site with a laptop.

Communicate with the client to gather information, determine the problem, and possibly log in to the target machine for investigation.

Typical steps: Identify the problem → Resolve the problem → Write a report .

There is a saying: “scan for one minute, report for one hour.” When dealing with webshells, pay special attention to modified web‑server configuration files or injected links.

Process Inspection Commands

These commands help you discover malicious processes.

1. View real‑time system status

top

continuously monitors process information. Mining malware usually shows high CPU usage.

2. View a snapshot of processes

ps

displays instant process data. Common options: -a: show all processes on the current terminal, including other users. -e: display environment variables for each process. -f: show UID, PPID, C, STIME columns.

3. Show non‑root processes

ps -U root -u root -N

4. Show root‑owned processes

ps -u root

5. Find suspicious processes

ps -aef | grep inetd

grep

searches; inetd is a Linux daemon.

6. Detect hidden processes

ps -ef | awk '{print}' | sort -n | uniq > 1

ls /proc | sort -n | uniq > 2

sort -n

sorts numerically; uniq removes duplicate lines.

7. List system cron jobs

ls /etc/crontab

User and Activity Inspection

1. Who is logged in?

who

2. Show login IPs

who -m

3. Recent login history

last -n 5

4. Recent command history

history 5

5. Find accounts with empty passwords

awk -F':' '($2=="")' /etc/shadow

6. List UID 0 accounts (root) using awk

awk -F':' '($3==0)' /etc/passwd

7. List UID 0 accounts using grep

grep -v -E "^#" /etc/passwd | awk -F':' '$3==0{print $1}'

8. Show process tree to locate parent‑child relationships

pstree -p

Network Inspection Commands

1. List all connections and listening ports

netstat -lntp

Common netstat options: -a or --all: show all sockets. -c or --continuous: continuously display. -i or --interfaces: show interface table. -l or --listening: show listening sockets. -n or --numeric: display numeric addresses. -t or --tcp: show TCP connections. -u or --udp: show UDP connections.

2. Identify which process uses a specific port (e.g., 22)

lsof -i :22

3. Show file information for multiple PIDs

lsof -p 2,3

4. List all TCP connections

lsof -i tcp

5. List all UDP connections

lsof -i udp

File Inspection Commands

1. List all files, including hidden ones

ls -la

2. Locate a file’s path

whereis filename

3. Show file creation/modification time

ls -al filename

4. Find files modified in the last 24 hours

find ./ -mtime 0

Explanation of -mtime n: -mtime 0: modified within the last day. -mtime 1: modified 1–2 days ago. -mtime +1: modified more than 2 days ago. -mtime -1: modified less than a day ago.

5. Find files ending with .txt

find / -name "*.txt"

6. Find files not ending with .txt

find / ! -name "*.txt"

Conclusion

The article aggregates numerous commands useful for Linux security incident response. While the sheer volume can feel overwhelming, the structured workflow and categorized command sets provide a practical reference for analysts confronting mining malware, webshells, ransomware, or other compromises.