When a production server shows unexpected high CPU usage and unknown login activity, this guide walks Linux ops engineers through confirming intrusion, stopping the attacker, tracing the attack path, removing backdoors, restoring system integrity, and applying hardening measures to prevent future breaches.
This comprehensive guide walks you through building a layered Linux intrusion detection system, configuring host‑based tools such as AIDE, rkhunter, and auditd, automating security audits, performing forensic investigations, and executing a six‑step incident response workflow to detect, contain, and remediate attacks effectively.
The article introduces Linux_checklist.sh, a script that audits a Linux system for signs of compromise—including network sniffing, deleted‑file processes, tampered binaries, unauthorized SSH keys, malicious cron jobs, resource abuse, privilege anomalies, persistence mechanisms, file integrity issues, and suspicious log activity—while warning that its output contains sensitive data.
This guide walks you through using Linux log tools such as last, lastb, grep, and sshd_config to identify suspicious logins, trace malicious IPs, and apply immediate remediation steps for compromised servers, targeting ops engineers and developers.
This article provides a comprehensive step‑by‑step process for detecting server compromises, collecting system, memory, and network evidence, analyzing logs, isolating the affected host, removing malicious artifacts, and hardening the environment to prevent future attacks.
This guide walks operations engineers through recognizing intrusion signals, executing a step‑by‑step 24‑hour emergency response, performing digital forensics, cleaning the system, hardening security settings, and establishing continuous monitoring to prevent future attacks.
This guide walks operations and security engineers through recognizing intrusion signs, executing a step‑by‑step 24‑hour response, collecting forensic evidence, cleaning and hardening the system, and building proactive monitoring to protect servers from future attacks.
This article walks through the symptoms, root causes, forensic commands, and remediation actions taken to investigate and clean a Linux server that was compromised, highlighting key security lessons such as tightening SSH access, monitoring critical files, and restoring locked system utilities.
This article walks through a real‑world Linux server breach, detailing the observed symptoms, investigative commands, hidden malicious scripts, file‑locking tricks, and a comprehensive remediation process that includes tightening security groups, strengthening passwords, monitoring critical files, and restoring compromised system utilities.
This guide explains how attackers can use Linux shell commands such as touch, stat, and ls, combined with custom Bash scripts, to record, modify, and restore file timestamps, enabling them to conceal evidence of intrusion and automate timestamp manipulation on compromised servers.
This article explains how attackers can exploit Linux file timestamps using shell commands and a custom Bash script to hide their activities, covering tools like touch, stat, ls, and detailed script steps for saving, modifying, and restoring timestamps to evade forensic detection.
This article provides a step‑by‑step technical analysis of the DarkKomet remote‑access trojan, covering its capabilities, infection vectors, detection methods using TTP‑driven EDR, containment actions, eradication procedures, root‑cause forensics, and post‑incident recovery measures.
This guide explains how attackers can conceal their activities on a Linux system by manipulating file timestamps using the touch, stat, and ls commands and by automating the process with a Bash script that saves, restores, and reapplies timestamps to hide evidence of compromise.
This comprehensive guide walks security engineers through every phase of an incident response—from initial information gathering, containment, and vulnerability scanning to detailed log, process, and account analysis, culminating in recovery steps and post‑incident hardening recommendations.
This guide explains how to use standard Linux utilities and a custom Bash script to view, modify, save, and restore file timestamps, enabling attackers or administrators to conceal or recover evidence of file changes on a server.
This article explains how attackers and administrators can use Linux shell commands and a custom script to view, modify, save, and restore file timestamps, thereby concealing forensic evidence of unauthorized activity on a server.
This guide walks you through Linux account security, user file inspection, login tracking, privilege checks, process analysis, startup script review, cron job auditing, file searching, and log examination, providing practical commands and tips to uncover and mitigate potential intrusions.
This guide walks through common Linux emergency scenarios—such as mining malware, ransomware, and backdoors—detailing a step‑by‑step workflow and providing essential command‑line tools for process, user, network, and file investigation on CentOS 6 and Windows Server 2008 systems.
This article outlines common intrusion signs on CentOS 6.9 systems, explains how to examine logs, user files, login records, network traffic, and demonstrates using lsof and /proc to recover deleted security logs, providing practical commands for Linux security engineers.
This article details a real‑world Linux rootkit intrusion, describing the symptoms, forensic analysis techniques, evidence uncovered, the underlying Awstats vulnerability, and a comprehensive remediation plan to secure the server and prevent future compromises.
A client reported unexpected outbound attack traffic from a server, prompting a step‑by‑step forensic investigation that confirms an SSH brute‑force breach, analyzes logs, identifies malicious network connections and cron jobs, uncovers hidden mining malware, and provides hardening recommendations to secure the Linux host.
This guide presents a curated list of twelve Linux distributions—such as Kali Linux, BackBox, Parrot Security OS, and others—detailing their origins, key security tools, desktop environments, installation options, and unique features that make them ideal for ethical hacking, forensics, and network security assessments.
This guide explains how attackers can use shell scripts on a Linux server to modify, backup, and restore file timestamps—masking their activity—by leveraging tools like touch, stat, ls, and custom Bash scripts that automate the entire process.
This guide outlines practical steps and command examples for Linux administrators to identify compromised machines, examine logs, verify user files, monitor login activity, capture abnormal traffic, and recover deleted logs using lsof and /proc information.
This guide explains how to use Linux shell commands and a custom Bash script to view, modify, save, and restore file timestamps, enabling attackers to hide forensic evidence while also showing administrators how timestamps can be forged and why they must remain vigilant.
A comprehensive, curated list of 123 Python-based security tools spans network analysis, debugging, reverse engineering, fuzzing, web testing, forensics, malware analysis, PDF inspection, miscellaneous utilities, plus recommended libraries, books, and learning resources for penetration testers and security researchers.
This article explains how attackers can use Linux shell commands and a custom Bash script to view, modify, save, and later restore file timestamps, thereby concealing evidence of intrusion while providing the necessary code snippets and command examples for each step.
This article explains how attackers can use Linux shell commands and a custom Bash script to record, modify, and later restore file timestamps, thereby concealing evidence of intrusion, with detailed examples of touch, stat, ls, sed, and conditional scripting.
This guide walks Linux operations engineers through eleven practical checks—ranging from log inspection and user file verification to process analysis and file recovery—to identify whether a machine has been compromised and how to restore critical files.
This article compiles a comprehensive list of 123 Python-based penetration testing tools, covering network utilities, debugging and reverse‑engineering frameworks, fuzzing platforms, web testing kits, forensic analysis utilities, malware analysis helpers, PDF inspection modules, miscellaneous libraries, recommended books, talks, and additional resources for security professionals.
This article presents a comprehensive list of Python-based tools covering network packet analysis, debugging, reverse engineering, fuzzing, web testing, forensics, malware analysis, PDF inspection, and various miscellaneous utilities useful for security professionals and researchers.
When a production server is compromised, abrupt actions like pulling the plug can disrupt services, so this guide outlines an eight‑stage, evidence‑driven response process—including verification, on‑site preservation, containment, impact assessment, online analysis, backup, deep forensics, and reporting—plus real‑world case studies and concrete command examples.
After a sudden traffic surge and loss of SSH access on an Ubuntu 12.04 server, I worked with the data‑center team to trace malicious outbound connections, identify compromised binaries, remove persistent backdoor scripts, and implement firewall rules and logging practices to prevent future intrusions.
Learn how to systematically examine a Linux host for compromise by checking logs, user accounts, processes, file integrity, network activity, scheduled tasks, services, and rootkits, using built‑in commands and RPM verification to uncover hidden threats.
This guide compiles essential papers, tools, virtual machines, datasets, and training sites to help learners deepen their understanding of computer and network security through both theoretical study and hands‑on practice.
This guide walks you through eleven systematic Linux security checks—including account inspection, log review, process analysis, file integrity, RPM verification, network monitoring, scheduled tasks, backdoor detection, kernel modules, services, and rootkit scans—to help identify potential system compromises.
This article walks through a real-world Linux server compromise, detailing the attack symptoms, forensic analysis steps, rootkit discovery, exploitation of an Awstats script vulnerability, and practical remediation measures to restore and harden the affected system.
This guide presents a comprehensive set of Linux commands and practical steps for detecting, analyzing, and responding to compromised systems, covering process identification, file inspection, network checks, log recovery, forensic imaging, and useful tools such as ldd, strace, and nc.
This article details a real‑world Linux server intrusion, showing how a rootkit exploited an Awstats script vulnerability, the forensic steps to identify malicious processes, hidden files, and compromised accounts, and the recommended remediation actions to restore a secure environment.
