Emergency
Source: Linux应急笔记
Check Status Check processes that CPU usages > 50% Check weird command
htop process tree
Ex: miner process: xmrig
Check Communicating IP/Host
Remove Virus
Crond Job
dpkg -S to check if the executable is from package or not
Scan to check the binary file
Periodic Scanning:
TODO Maybe we can write a tool to record (git diff??)
service --status-allcrontab -lcat /etc/anacrontabfind /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 | xargs ls -lalsmod
Note
Check what program listen what port
bash
sudo lsof -PiTCP -sTCP:LISTENCheck ip incoming tcpdump will get the flow before iptable Wire -> NIC -> tcpdump -> iptables iptables -> tcpdump -> NIC -> Wire
bash
sudo tcpdump -i eth0 'tcp and port 8763'