3/3/2024

Module 10

Incident Response with Linux

Thu Ya

1
 3/3/2024

User accounts:
Directory: /etc/passwd

Command to be used:

The below command uses ‘cat’ to go into the /etc/passwd and exports
the results to a ‘[Link]’ file.

cat /etc/passwd

Modifications to passwords
• Directory: /etc/shadow

• Command used:

• cat /etc/shadow

Information about groups:

• Directory: /etc/group

• Command used:

• cat /etc/group

2
 3/3/2024

Information about sudo permissions:

• Directory: /etc/sudoers

• Command used:

• cat /etc/sudoers

Display list of all running processes:

• Command used:

• ps aux

Display specific user’s processes:

• Command used:

• ps -u username

3
 3/3/2024

Display a process tree:

• Command used:

• pstree

Display a specific process by name:

• Command used:

• ps -ef | grep process_name

Display a specific process by PID (Process ID):

• Command used:

• ps -p PID

4
 3/3/2024

Important log locations:

General Logs:
• Directory:/var/log/messages

• Command used :

• cat /var/log/messages

Authentication logs
• Directory:/var/log/[Link]

• Command used:

• cat /var/log/[Link]

5
 3/3/2024

Kernel logs
• Directory: /var/log/[Link]

• Command used :

• cat /var/log/[Link]

Crond logs from cron jobs

• Directory: /var/log/[Link]

• Command used :

• cat /var/log/[Link]

Apache access logs directory

• Directory:/var/log/apache2

• Command used:

• cat /var/log/apache2/[Link]
• cat /var/log/apache2/[Link]
• cat /var/log/apache2/other_vhosts_access.log

6
 3/3/2024

System boot log

• Directory: /var/log/[Link]

• Command used:

• cat /var/log/[Link]

Syslog
• Directory: /var/log/syslog

• Command used:

• cat /var/log/syslog

Socket statistics (ss) command:

[Link]

7
 3/3/2024

List udp sockets

• ss -u

list tcp sockets

• ss -t

list listening sockets

• ss -l

8
 3/3/2024

List out suspicious connections

• ss -tp state established dport = :[port number in question]

• ss -tp state established dport = :443

This command will list all active connections.

• ss state established

Login information:

9
 3/3/2024

Listing out command history:

• Command used:

• history

List of last logged in users:

• Command used:

• last -awx

List/print the current user logged in on an

endpoint:
• Command used:

• logname

10
 3/3/2024

List of services

List all the active services on an endpoint:

• Command used:

• service --status-all | grep ‘service name'

List all the services on an endpoint:

• Command used:

• service --status-all

11
 3/3/2024

Network Artifacts:

Processes running on listening port:

• Command used:

• lsof –i

Check for any unusual arp entries:

• Command used:

• arp –a

12
 3/3/2024

Finding unknown files within the last 2 days with a

specific string and then parsing the output to a text
file.
• Commands used:

• Note: In this case, we were searching for the string — update.

• find / -mtime -2 -ls | grep 'update'

Examining IPtables and

UFW(Uncomplicated Firewall)

UFW — Block an IP address — blocking the

source address
• Command used:

• ufw deny from [Link]

13
 3/3/2024

UFW —Block an IP address — blocking the

destination address.
• Command used:

• ufw deny to [Link]

IPtables — List all rules.

• Command used:

• iptables --list-rules

IPtables —Block an IP on IP Tables(INPUT

chain)
• Command used:

• Note : INPUT chain is responsible for handling incoming packets to

the local system. Basically, this is a command to drop packets from
external IP addresses to internal resources.

• iptables -A INPUT -s [Link] -j DROP

14
 3/3/2024

Allow an IP-on-IP Tables(INPUT chain)

• Command used:

• Note: INPUT chain is responsible for handling incoming packets to the

local system. Basically, this is a command to accept packets from
external IP addresses to internal resources.

• iptables -A INPUT -s [Link] -j ACCEPT

IPtables — Block an IP on IP Tables(INPUT

chain)
• Command used:

• Note: OUTPUT chain is responsible for handling outgoing packets.

• iptables -A OUTPUT -s [Link] -j DROP

IPtables — Allow an IP-on-IP Tables(INPUT

chain)
• Command used:

• Note: OUTPUT chain is responsible for handling outgoing packets

• iptables -A OUTPUT -s [Link] -j ACCEPT

15
 3/3/2024

CRON Jobs :

To list and examine all cron jobs:

• Command used:

• crontab -l

To list all cron jobs associated with a specific

user name
• In this case, we have used “root”

• Command used:

• crontab -l -u root

16
 3/3/2024

Check cron jobs on the whole system:

• Directory: /etc/crontab

• Command used:

• cat /etc/crontab

Display a snapshot of currently mounted

filesystems on a Linux system.
• Directory : /proc/mounts

• Command used:

• cat /proc/mounts

Display config information for SSH keys :

• Directory — /etc/ssh

• Check for any config changes or new config files have been added in
this directory.

• cat /etc/ssh/sshconfig
• cat /etc/ssh/sshconfig.d

17