A few tips to find evidence of linux intrusion

To find evidence of linux system intrusion, you can start from the following aspects:
1. last and lastlog commands can be used to view the recently logged-on account and time
2. for/var/log/secure,/var/log/messages log information, you can use the accept keyword to check whether the system has successfully logged on with a suspicious IP address.
3. the user's task plan, file/var/spool/cron/tabs/user, some hackers will set the backdoor program, virus as a scheduled task, and regularly execute
4. several directories often contain Trojans, viruses,/tmp,/var/tmp,/dev/shm. Because these directories are configured with SBIT, that is, all users can read and write data, executable. In addition, the root permission is granted to access these directories, so even if hackers do not have the root permission, It is very convenient to upload viruses to these directories.
5. find/-ctime n is the specified time. You can use the information found above to make a comprehensive judgment, and then select a time point to find the file created at that time point. Www.2cto.com, for example, within 24 hours two days ago, you can use find/-ctime 2>/tmp/file. log (if you do not want to screen, you can redirect to a file)
6. Various service logs, such as apache logs:
$ APACHE_HOME/logs/access_log, $ APACHE_HOME/logs/error_log

 
From the Network Security Defense Research Office