Check the log
Audit logs, log in to see the user's abnormal behavior and abnormal
system logs such as / var / log / messge / var / log / secure and so on.
Check who landed
View last machine created since the landing of the user
lastlog last address listed in the user's login time and login terminals
to view the machine all the user's connection time ac -dp
Check the abnormal process
to query the process corresponding to the execution of the script file
a.top command to check the abnormal process corresponding to the PID
. B find the process in the virtual file system directory as the executable file
ps -ef | grep pid or ll / proc / (pid) 1850 / | grep -i exe
Abnormalities regular tasks
Reproduced in: https: //blog.51cto.com/14382498/2409432