1. UNUSUAL PROCESSES
  1. ps -aux
  1. Look at running processes
  1. lsof -p [pid]
  1. shows files and port used by [pid]
  1. chkconfig --list
  1. If available
  2. check which services are enabled
  1. UNUSUAL FILES
  1. find / -uid 0 -perm -4000 -print
  1. unusual SUID root files
  1. find / -size +10000k -print
  1. Look for unusually large files
  1. find / -name “ “ -print
  2. find / -name “. ” -print
  3. find / -name “.. “ -print
  1. Look for files with unusual dots and space in the names
  1. lsof +L1
  1. look for processes running/accessing unlinked files
  1. UNUSUAL NETWORK USAGE
  1. ip link | grep PROMISC
  1. Look for promiscuous mode network card mode - possible. sniffer
  1. netstat -nap
  1. look for unusual port listeners
  1. lsof -i
  1. details about processes listening on ports
  1. arp -a
  1. unusual arp entries
  1. UNUSUAL SCHED TASKS
  1. crontab -u root -l
  1. cronjobs sched by root and other 0 UID accounts
  1. cat /etc/crontab
  2. ls /etc/cron.*
  1. unusual system-wide cronjobs
  1. UNUSUAL ACCOUNTS
  1. sort -nk3 -t: /etc/passwd |less
  1. look for new acounts sorted by UID
  1. egrep ‘:0+:’ /etc/passwd
  1. look for unexpected UID 0 accounts
  1. getent passwd |egrep ‘:0+:’
  1. look for unexpected UID 0 accounts if using multiple authnt methods
  1. find / -nouser -print
  1. look for orphaned files. may be cache of temp account that was deleted
  1. UNUSUAL LOG ENTRIES
  1. “entered promiscuous mode”
  2. large number of auth fails from local/remote
  3. RPC programs that include large number of unusual characters
  4. web logs with unusual number of error
  5. reboots/app restarts
  1. UNUSUAL OTHERS
  1. uptime
  1. look at load avarage
  1. df
  1. sudden increase in disk space utilization