1. Checking Accounts
# LESS/ETC/PASSWD
# grep:0:/etc/passwd (check to see if new user is generated, and UID, GID is 0 users)
# ls-l/etc/passwd (view file modification date)
# awk-f: ' $3= =0 {print} '/etc/passwd (see if privileged users exist)
# awk-f: ' Length ($) = =0 {print} '/etc/shadow (see if a null password account exists)
2. Check log
# Last (View history of all users who normally log on to this computer)
Note "entered promiscuous mode"
Note Error messages
Note Remote Procedure call (RPC) programs with a log entry that includes a large number (>) Strange characters (-^pm-^p M-^PM-^PM-^PM-^PM-^PM-^PM)
3. Review process
# Ps-aux (Note that the UID is 0)
# lsof-p PID (see the Start port and file for the process)
# Cat/etc/inetd.conf | Grep-v "^#" (check daemon)
Check for hidden processes
# Ps-ef|awk ' {print} ' |sort-n|uniq >1
# LS/PORC |sort-n|uniq >2
# diff 1 2
4. Check Documents
# Find/-uid 0–perm-4000–print
# Find/-size +10000k–print
# Find/-name "..." –print
# Find/-name "..." –print
# Find/-name "." –print
# Find/-name "" –print
Note suid files, suspicious larger than 10M and space files
# Find/-name core-exec ls-l {} (check the core file in the system)
Check System file Integrity
# Rpm–qf/bin/ls
# Rpm-qf/bin/login
# md5sum–b filename
# md5sum–t filename
5. Check RPM
# RPM–VA Output Format:
S–file size differs
M–mode differs (permissions)
5–MD5 sum differs
D–device number mismatch
L–readlink path mismatch
U–user ownership differs
G–group ownership differs
T–modification time differs
Note the related/sbin,/bin,/usr/sbin, And/usr/bin
6. Check the network
# IP Link | grep Promisc (normal NIC should not be in Promisc mode, may exist sniffer)
# Lsof–i
# netstat–nap (view tcp/udp port with abnormal opening)
# Arp–a
7. Check Scheduled Tasks
Note that the root and UID are 0 schedule
# Crontab–u Root–l
# Cat/etc/crontab
# ls/etc/cron.*
8. Check the back door
# Cat/etc/crontab
# ls/var/spool/cron/
# cat/etc/rc.d/rc.local
# LS/ETC/RC.D
# LS/ETC/RC3.D
# Find/-type f-perm 4000
9. Check kernel module
# Lsmod
10. Check System Services
# chkconfig
# rpcinfo-p (view RPC service)
11. Check rootkit
# rkhunter-c
# Chkrootkit-q