Skip to content

Linux Forensics

Linux servers dominate the cloud
When a Linux server is compromised you need to analyze logs , check for backdoors , identify persistence mechanisms , and trace attacker activity

Log Analysis

Linux logs live in /var/log/:

# Authentication
cat /var/log/auth.log            # Debian/Ubuntu
cat /var/log/secure              # RHEL/CentOS

# Failed logins
grep "Failed password" /var/log/auth.log

# Successful logins
grep "Accepted" /var/log/auth.log

# Sudo usage
grep "sudo" /var/log/auth.log

# SSH connections
grep "sshd" /var/log/auth.log | grep "session opened"

# System logs
cat /var/log/syslog              # General system events
cat /var/log/messages            # RHEL system events
journalctl -xe                   # systemd journal

User Activity

# Currently logged in users
who
w
last                             # Last logins from wtmp
lastb                            # Failed logins from btmp
lastlog                          # All users last login

# Command history
cat ~/.bash_history              # User command history
cat ~/.bash_history | grep -i "ssh\|curl\|wget\|nc\|nmap"

# Check for root access
cat /var/log/auth.log | grep "root"

Process Forensics

# Running processes
ps aux
ps auxf                          # Process tree

# Suspicious processes
ps aux | grep -i "bash\|python\|perl\|nc\|ncat\|socat"
ps aux | grep -v "\["            # User-space processes only

# Process file handles
lsof -p PID
lsof -i                          # Network connections

# Hidden processes
cat /proc/[1-9]*/cmdline | strings

Persistence Checks

# Cron jobs (ATTACKER FAVORITE)
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.hourly/
ls -la /etc/cron.daily/
cat /var/spool/cron/crontabs/*

# Systemd services
systemctl list-units --type=service --state=running
systemctl list-unit-files | grep enabled
ls -la /etc/systemd/system/

# Startup scripts
cat /etc/rc.local
ls -la /etc/init.d/
cat /etc/inittab

# SSH authorized keys
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys

# LD_PRELOAD tricks
cat /etc/ld.so.preload           # (almost always malicious)

File Integrity

# Recently modified files
find / -mmin -60 -type f 2>/dev/null
find / -mtime -1 -type f 2>/dev/null | grep -v /proc\|/sys

# SUID changes
find / -perm -4000 -type f 2>/dev/null

# World-writable files
find / -perm -2 -type f 2>/dev/null | grep -v /proc\|/sys

# Check package integrity
dpkg --verify                    # Debian system
rpm -Va                          # RHEL system

Network Forensics

# Current connections
ss -tuln                         # Listening
ss -antp                         # All connections

# Firewall rules
iptables -L -n -v
nft list ruleset

# DNS cache
cat /etc/hosts                   # Check for modified hosts file
journalctl -u systemd-resolved

Timeline Creation

# File access timeline using find
find / -newer /etc/shadow -type f 2>/dev/null

# Use ls for file modification times
ls -latr /etc/
ls -latr /usr/bin/

# Bind shell detection
ss -tuln | grep -E "4444|5555|6666|7777|8888|1337|31337"