This is the 19th day of my participation in the Genwen Challenge

Check the account

Check whether a new user exists

Check whether there is an account whose UID and GID are 0. If the UID is 0, the user has the root permission

View the user with root permission

View the modification date of the user file

The user who checks to see if the password is empty.

Check the log

Logs are very important for security. They record all kinds of things that happen to the system every day. You can use them to check the cause of errors or the traces left by attackers when they are attacked. Logs provide the following functions: Audit and monitoring. It can also monitor system status in real time, monitor and track intruders and so on.

Look at the last 10 entries in the log

Current Events Update log

View all open ports

View the login time of the latest user

View login failure records

View the last login of the user

Check the process

View all processes, especially those whose UID is 0

View the open file of the process (-p followed by PID)

View the daemon file

Check the startup process

Check the system

Check the file

When a website is invaded, it is usually certain that some files have been changed. You can check whether the files have been changed by comparing the creation time, integrity, and file path.

Find the root user’s file

View files larger than 10 MB

Check scheduled Tasks

View the scheduled tasks for root

View the configuration file of a scheduled task

Check the history command tasks

Look at the **. Bash_history file in the user’s home directory or use the history** command