Scribd
Upload
32 views17 pages

Incident Response 1717384290

Uploaded by

akash paul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views17 pages

Incident Response 1717384290

Uploaded by

akash paul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Page | 6

Follow us: www.hackingarticles.in


security incident occurs. As an Incident Responder, you should always be aware of what should be and
should not be present in your systems.
The security incidents that could be overcome by:

• By examining the running processes


• By having insights into the contents of physical memory.
• By gathering details on the hostname, IP address, operating systems etc
• Gathering information on system services.
• By identifying all the known and unknown users logged onto the system.
• By inspecting network connections, open ports and any network activity.
• By determining the various files present

User Accounts
As an Incident Responder, it is very important to investigate the user account’s activity. It helps you
understand the logged-in users, the existing users, usual or unusual logins, failed login attempts,
permissions, access by sudo etc.
The various commands to check the user account activity:

/etc/passwd

To identify whether there is an account entry in your system that may seem suspicious. This command
usually fetches all the information about the user account. To do so, type

cat /etc/passwd

Page | 7
Follow us: www.hackingarticles.in
The ‘Setuid’ option in Linux is unique file permission. So, on a Linux system when a user wants to make
the change of password, they can run the ‘passwd’ command. As the root account is marked as setuid,
you can get temporary permission.

passwd -S raj

grep

Grep is used for searching plain- text for lines that match a regular expression. :0: is used to display
‘UID 0’ files in /etc/passwd file.

grep :0: /etc/passwd

find /-nouser
To Identify and display whether an attacker created any temporary user to perform an attack, type

find / -nouser -print

Page | 8
Follow us: www.hackingarticles.in
The /etc/shadow contains the encrypted password, details about the passwords and is only
accessible by the root users.

cat /etc/shadow

Page | 9
Follow us: www.hackingarticles.in
The group file displays the information of the groups used by the user. To view the details, type

cat /etc/group

Page | 10
Follow us: www.hackingarticles.in
If you want to view information about user and group privileges to be displayed, the/ etc/sudoers
file can be viewed

cat /etc/sudoers

Page | 11
Follow us: www.hackingarticles.in
Lastlog
To view the reports of the most recent login of a particular user or all the users in the Linux system,
you can type,

lastlog

Auth.log

To identify any curious SSH & telnet logins or authentication in the system, you can go to /var/log/
directory and then type

tail auth.log

Page | 12
Follow us: www.hackingarticles.in
History

To view the history of commands that the user has typed, you can type history with less or can even
mention up to the number of commands you typed last. To view history, you can type

history| less

Page | 13
Follow us: www.hackingarticles.in
memory space and utilisation of the system etc.

Uptime
To know whether your Linux system has been running overtime or to see how long the server has
been running for, the current time in the system, how many users have currently logged on, and the load
averages of the system, then you can type:

uptime

Free

To view the memory utilisation by the system in Linux, the used physical and swap memory in the
system, as well as the buffers used by the kernel, you can type,

free

/proc/memory

As an incident responder to check the detail information of the ram, memory space available,
buffers and swap on the system, you can type

cat /proc/meminfo

Page | 14
Follow us: www.hackingarticles.in
As an incident responder, it’s your responsibility to check if there is an unknown mount on your
system, to check the mount present on your system, you can type

cat /proc/mounts

Processes
As an incident responder, you should be always curious when you are looking through the output
generated by your system. Your curiosity should compel you to view the programs that are currently
running in the system, if they necessary to run and if they should be running, and usage of the CPU
usage by these processes etc.

top

To get a dynamic and a real-time visual of all the processes running in the Linux system, a summary
of the information of the system and the list of processes and their ID numbers or threads managed
by Linux Kernel, you can make use of

top

Page | 15
Follow us: www.hackingarticles.in
To see the process status of your Linux and the currently running processes system and the PID. To
identify abnormal processes that could indicate any malicious activity in the Linux system, you can
use

ps aux

PID

To display more details on a particular process, you can use,

lsof –p [pid]

Page | 16
Follow us: www.hackingarticles.in
include the status of services, cron, etc and network services include file transfer, domain name
resolution, firewalls, etc. As an incident responder, you identify if there is an anomaly in the services.

Service

To find any abnormally running services, you can use

service –-status-all

Page | 17
Follow us: www.hackingarticles.in
The incident responder should look for any suspicious scheduled tasks and jobs. To find the
scheduled tasks, you can use,

cat /etc/crontab

/etc/resolv.conf

To resolve DNS configuration issues and to avail a list of keywords with values that provide the
various types of resolver information, you can use

more /etc/resolv.conf

Page | 18
Follow us: www.hackingarticles.in
To check file that translates hostnames or domain names to IP addresses, which is useful for testing
changes to the website or the SSL setup, you can use

more /etc/hosts

iptables

To check and manage the IPv4 packet filtering and NAT in Linux systems, you can use iptables and
can make use of a variety of commands like:

iptables -L -n

Page | 19
Follow us: www.hackingarticles.in
Large Files

To identify any overly large files in your system and their permissions with their destination, you can
use

find /home/ -type f -size +512k -exec ls -lh {} \;

mtime

As an incident responder, if you want to see an anomalous file that has been present in the system
for 2 days, you can use the command,

find / -mtime -2 -ls

Page | 20
Follow us: www.hackingarticles.in
extremely vital to identify the overall picture of a system network and its health.

ifconfig

To obtain the network activity information, you can use various commands.

ifconfig

To see all the network interfaces, you can use

ifconfig -a

Open files

To list all the processes that are listening to ports with their PID, you can use

lsof -i

Page | 21
Follow us: www.hackingarticles.in
To display all the listening ports in the network use

netstat -nap

arp

To display the system ARP cache, you can type

arp -a

path

The $PATH displays a list of directories that tells the shell which directories to search for executable
files, to check for directories that are in your path you can use.

echo $PATH

Page | 22
Follow us: www.hackingarticles.in

You might also like