Step‑by‑Step Guide to Investigating a Compromised Linux System

1. Check System Logs

Use lastb to examine failed login attempts and count IP retries.

2. Check System Users

View all users: cat /etc/passwd Identify new UID/GID 0 users: grep "0" /etc/passwd Check modification time of /etc/passwd: ls -l /etc/passwd Find privileged users: awk -F: '$3==0 {print $1}' /etc/passwd Detect empty‑password accounts:

awk -F: 'length($2)==0 {print $1}' /etc/shadow

3. Check Abnormal Processes

Look for processes with UID 0 using ps -ef.

Inspect open ports/files of a process: lsof -p PID.

Detect hidden processes: ps -ef | awk '{print $...}' | sort -n | uniq >1 and ls /proc | sort -n | uniq >2, then diff 1 2.

4. Check Abnormal System Files

find / -uid 0 -perm -4000 -print

find / -size +10000k -print

find / -name "..." -print

(replace with suspicious names)

5. Check System File Integrity

rpm -qf /bin/ls

rpm -qf /bin/login

Compute MD5 checksums: md5sum -b filename or

md5sum -t filename

6. Verify RPM Integrity

Run rpm -Va and note differences (S – size, M – mode, 5 – MD5, D – device, L – readlink, U – user, G – group, T – time).

7. Check Network

Detect promiscuous mode: ip link | grep PROMISC List open network files: lsof -i Show listening ports: netstat -nap Display ARP table:

arp -a

8. Check Scheduled Tasks

Root crontab: crontab -u root -l System crontab: cat /etc/crontab List cron directories:

ls /etc/cron.*

9. Check System Backdoors

Inspect crontab and rc scripts: cat /etc/crontab, ls /var/spool/cron/, cat /etc/rc.d/rc.local, ls /etc/rc.d,

ls /etc/rc3.d

10. Check System Services

List services: chkconfig --list Show RPC services:

rpcinfo -p

11. Check for Rootkits

Run rkhunter -c Run

chkrootkit -q