Table of Contents

Review Running Processes

sudo ps -aux
sudo lsof -p 123
chkconfig --list

Search for Abnormal Files

sudo find / -uid 0 -perm -4000 -print
sudo find / -size 10000k -print
sudo find / -name " " -print
sudo find / -name ".. " -print
sudo find / -name ". " -print

lsof +:1

rpm -Va | sort

Check Network Usage

ip link | grep PROMISC
netstat -nap
lsof -i
arp -a

Review Scheduled Tasks

sudo crontab -u root -l
cat /etc/crontab
ls /etc/cron.*

Check for Bogus Accounts

sudo sort -nk3 -t: /etc/passwd | less
sudo egrep ':0+:' /etc/passwd
sudo getent passwd | egrep ':0+:'
sudo find / -nouser -print

Review Logs

# entered promiscuous mode
# logon failres
# rpc programs w/entries > 20 (strange characters)
# errors
# reboots and app restarts

Check System Performance

sudo uptime # load average
sudo free
sudo df