A. Check the system log
lastb command to check the system error log landing, statistics IP retries
II. Check the system user
1, cat / etc / passwd to see if there is an abnormal system users
2, grep "0" / etc / passwd checks to see if a new user, UID and GID is 0 users
3, ls -l / etc / passwd passwd See modified, it is determined whether to add the user without knowing
4, to see whether there is a privileged user awk -F: '$ 3 = = 0 {print $ 1}' / etc / passwd5, to see if there is an empty password account awk -F: 'length ($ 2) = = 0 {print $ 1}' / etc / shadow
III. Check the abnormal process
1, note that UID use the ps -ef command to view the process as a process 0
2, look at the process that opened the port and file lsof -p pid command to view
3, check the hidden process ps -ef | awk '{print}' | sort -n | uniq> 1ls / porc | sort -n | uniq> 2diff 1 2
IV. Check the file system abnormalities
find / -uid 0 –perm -4000 –printfind / -size +10000k –printfind / -name “…” –printfind / -name “.. “–printfind / -name “. “ –printfind / -name “ “ –print
V. checking the integrity of system files
rpm -qf / bin / lsrpm -qf / bin / loginmd5sum -b filename md5sum -t filename
VI. Check the integrity rpm
rpm -Va # Note related to / sbin, / bin, / usr / sbin, / usr / bin
VII. Check the network
ip link | grep PROMISC (NIC should not be in promisc normal mode, there may be sniffer) lsof -inetstat -nap (not open look normal TCP / UDP port) arp -a
VIII. Check the system scheduled tasks
crontab –u root –lcat /etc/crontabls /etc/cron.*
IX. Check the system back door
cat /etc/crontabls /var/spool/cron/cat /etc/rc.d/rc.localls /etc/rc.dls /etc/rc3.d
X. inspection system services
chkconfig -listrpcinfo -p (see RPC service)
XI. Check the rootkit
rkhunter -cchkrootkit -q