June 15, 2024

Network forensics

How to find who’s doing what on your boxes:

What it is What it does
find / -user youruser
finds all files owned by “youruser”
find /directory_path -mtime -1 -ls
find files that have changes in the past 24 hours
shows what processes are using cpu/mem etc
iftop -i eth0
shows traffic on eth0 realtime
iptables -L
shows what your firewall rules are
kill 1234
kills a process with an id of 1234. You find out what process id is by doing “ps aux | grep whateverprocessname”
lsof -i
shows who’s connecting to what process on your box
netstat -plnt
shows what processes are listening on what port, and what PID they are
ps aux | grep apache2
shows what processes apache2 is running, in case you want to kill them
shows who’s logged in
Where to look What to look for
/var/log/auth.log look for successful logins, especially as user ‘root’. You can search in vi using ‘/’ then typing what you want to search for