Linux Commands � Security Reference

// Navigation & File System

Command	Description
`pwd`	Print current working directory
`ls -la`	List all files including hidden, with permissions and timestamps
`ls -laht`	Same but sorted by modification time � newest first
`cd /path`	Change directory
`find / -name "*.sh" 2>/dev/null`	Find all shell scripts on the system
`find / -mtime -1 2>/dev/null`	Find files modified in the last 24 hours
`find / -perm -4000 2>/dev/null`	Find all SUID binaries � potential privilege escalation paths
`find /tmp /var/tmp /dev/shm -type f`	Look for files in common malware drop locations
`stat filename`	Full metadata � access, modify, change timestamps and inode info
`file filename`	Identify file type by magic bytes (ignore the extension)
`du -sh /path/*`	Disk usage by subdirectory � spot abnormally large directories
`df -h`	Disk space per filesystem � check for unexpected full disks

// Users & Permissions

Command	Description
`id`	Current user's UID, GID, and group memberships
`whoami`	Current username
`w`	Who is currently logged in and what they're running
`last`	Recent logins from `/var/log/wtmp`
`lastb`	Failed login attempts from `/var/log/btmp`
`cat /etc/passwd`	All user accounts � look for unexpected shell users or unusual UIDs
`cat /etc/shadow`	Password hashes (root only) � check for recently changed passwords
`cat /etc/group`	Group memberships � check sudo, wheel, docker groups for unexpected members
`sudo -l`	What commands current user can run via sudo
`cat /etc/sudoers`	Sudo configuration � look for NOPASSWD entries
`getent passwd \| awk -F: '$3==0'`	Find all UID 0 (root-equivalent) accounts
`chage -l username`	Password expiry and last change date for a user

// Processes & Services

Command	Description
`ps aux`	All running processes with user, PID, CPU, memory, command
`ps auxf`	Same but showing parent-child tree relationships
`top` / `htop`	Live process monitor � useful for spotting high CPU processes
`ls -la /proc/PID/exe`	Resolve the executable path for a running process by PID
`cat /proc/PID/cmdline \| tr '\0' ' '`	Full command line for a running process (even if renamed)
`ls /proc/PID/fd`	Open file descriptors for a process � network sockets, files
`lsof -p PID`	All files and sockets opened by a specific process
`lsof -i :PORT`	Which process is listening on a specific port
`kill -9 PID`	Force-kill a process by PID
`systemctl list-units --type=service`	All systemd services and their status
`systemctl status servicename`	Status, recent logs, and binary path of a service
`journalctl -u servicename`	Full systemd journal for a specific service

// Network Commands

Command	Description
`ss -tulpn`	All listening TCP/UDP ports with process names � replacement for netstat
`ss -anp`	All active connections with PIDs
`netstat -tulpn`	Older equivalent of ss � still common on older systems
`ip addr`	All network interfaces and IP addresses
`ip route`	Routing table � look for unexpected routes
`arp -a`	ARP cache � IP to MAC mappings for recently contacted hosts
`cat /etc/hosts`	Local hostname resolution � check for redirected domains (malware persistence)
`cat /etc/resolv.conf`	DNS server configuration � check for rogue DNS server
`ping -c 4 host`	Test connectivity to a host
`traceroute host`	Trace path to host � identify routing anomalies
`dig @8.8.8.8 domain.com`	DNS lookup using specific resolver � check against your DNS
`tcpdump -i eth0 -w cap.pcap`	Capture live traffic to a file for analysis in Wireshark

// Log Analysis

Key log files

File	Contents
`/var/log/auth.log`	SSH logins, sudo usage, PAM events (Debian/Ubuntu)
`/var/log/secure`	Same as auth.log for RHEL/CentOS
`/var/log/syslog`	General system messages � services starting, cron jobs, kernel messages
`/var/log/messages`	RHEL equivalent of syslog
`/var/log/kern.log`	Kernel messages � hardware errors, module loading
`/var/log/cron`	Cron job execution log
`/var/log/apache2/access.log`	Web server access log � look for exploitation attempts
`/var/log/apache2/error.log`	Web server error log
`~/.bash_history`	Shell history per user � often tampered with by attackers

Log search commands

Bash

# Failed SSH logins
grep "Failed password" /var/log/auth.log | tail -50

# Successful SSH logins
grep "Accepted" /var/log/auth.log | tail -50

# Sudo commands run
grep "sudo:" /var/log/auth.log | grep "COMMAND"

# Login attempts by IP frequency
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head 20

# All cron jobs executed
grep "CRON" /var/log/syslog | tail -30

// File Investigation

Command	Description
`md5sum filename`	MD5 hash of a file � compare against known good or threat intel
`sha256sum filename`	SHA-256 hash � preferred for threat intel lookups
`strings filename`	Extract printable strings from a binary � URLs, IPs, error messages
`strings -a filename \| grep -E "https?://"`	Extract URLs embedded in a file
`xxd filename \| head -20`	Hex dump � check magic bytes to identify file type
`objdump -d binary`	Disassemble a compiled binary
`ldd binary`	Shared libraries a binary links against
`strace -p PID`	System calls made by a running process in real time
`ltrace binary`	Library calls � useful for malware behaviour analysis
`readelf -h binary`	ELF header information � architecture, entry point, sections

// Persistence Hunting

These are the locations attackers commonly use to maintain persistence on Linux systems. Check all of these during an investigation.

Bash � Persistence locations to audit

# Cron jobs for all users
for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null && echo "^ $user"; done

# System-wide cron
ls -la /etc/cron* /var/spool/cron/

# Systemd user services
find /etc/systemd /usr/lib/systemd ~/.config/systemd -name "*.service" 2>/dev/null | xargs ls -la

# SSH authorized keys (all users)
find / -name "authorized_keys" 2>/dev/null

# SUID binaries (custom or modified)
find / -perm -4000 -type f 2>/dev/null | sort

# World-writable directories
find / -xdev -type d -perm -0002 2>/dev/null | grep -v /proc

# Startup scripts
ls -la /etc/init.d/ /etc/rc.local /etc/profile.d/

# Aliases and shell config
grep -r "alias\|export\|source" /etc/profile /etc/bashrc /etc/bash.bashrc ~/.bashrc ~/.profile 2>/dev/null

// Investigation One-liners

Useful combinations for rapid triage during an incident.

Bash � Quick triage one-liners

# Who is logged in and what are they running?
w

# What processes have established outbound network connections right now?
ss -tnp state established

# Which process is listening on a suspicious port?
lsof -i :4444

# Files created in /tmp in the last hour
find /tmp -type f -mmin -60

# Check if bash history has been cleared (sign of cleanup)
wc -l ~/.bash_history

# Find files owned by root but world-writable
find / -user root -perm -o+w 2>/dev/null | grep -v /proc

# All users who have logged in recently
last | head -30

# What services are enabled at boot?
systemctl list-unit-files --state=enabled

# Check /proc for deleted-but-still-running binaries (malware indicator)
ls -la /proc/*/exe 2>/dev/null | grep deleted

Don't trust the tools on a compromised host. Rootkits can modify ps, ls, netstat, and other standard utilities to hide malware. On a suspected compromised system, boot from a trusted live environment or use tools from a read-only external drive, and rely on /proc directly where possible.