Linux Intrusion Checklist: Detect Hacker Activity with a Single Script

Tool Introduction

A script named Linux_checklist.sh provides a quick audit of common security and operational conditions on a Linux system.

Main Checks

Network interface sniffing detection (promiscuous mode) to spot potential internal password capture.

Identify processes whose executable files have been deleted ( /proc/*/exe -> deleted), a technique used by mining malware and rootkits.

Verify core commands such as ls, ps, netstat via rpm -V to ensure they have not been replaced.

Scan all users' .ssh/authorized_keys for unknown password‑less login keys.

Inspect scheduled tasks for malicious commands like bash -i, nc, curl that may connect to external hosts.

Detailed Checklist

System resources (possible mining)

CPU/Memory usage: list top‑5 processes and flag abnormal high consumption.

Disk space: check for logs or junk files filling the disk.

Network connections (possible backdoors)

Promiscuous mode detection.

DNS/Hosts inspection for hijacking or malicious redirects.

Open ports: list all listening ports, highlight unexpected high‑numbered ports.

External connections: show top‑10 remote IPs the server contacts, looking for C2 callbacks.

Process analysis (possible malicious programs)

Deleted‑file processes (as above).

High‑resource processes: details of the five processes with highest CPU and memory usage.

Accounts and privileges (unauthorized accounts)

Privileged users: detect any UID=0 accounts besides root.

Shadow file: examine /etc/shadow for login‑enabled accounts.

Sudo rights: find users with ALL=(ALL) sudo permissions.

SSH public keys: enumerate keys under /root and /home directories.

SSH hijack: check for sshrc files that execute scripts on login.

Persistence and startup (malware auto‑start)

Cron jobs: review /etc/crontab, /etc/cron.d/, and each user’s crontab.

Pattern matching: flag entries containing wget, curl, nc etc.

Systemd services: list enabled services.

rc.local: inspect for hidden startup scripts.

File integrity (possible rootkit)

Binary verification: use the package manager (RPM) to verify hashes of core binaries (ls, ps, top, login, sshd, …).

SUID files: scan for abnormal SUID binaries that could grant root privileges.

Temporary directories: check /tmp and /var/tmp for executable scripts ( .sh, .py, .elf).

Immutable attributes: verify critical files are not locked with chattr +i.

Logs and traces (what the attacker did)

Brute‑force attempts: count failed logins in /var/log/secure or auth.log and list the top offending IPs.

Successful logins: show recent successful logins and source IPs.

Account changes: detect useradd/userdel events.

Command history: scan root’s .bash_history for suspicious commands such as wget, tar, passwd.

Security and Compliance

The script exports sensitive information; it should only be run in authorized environments and the output files must be stored securely.

Project URL

https://github.com/HuyaThomas/Linux_checklist

Source: 乌云安全