Imagine you’ve just been hacked.
You’re shocked and overwhelmed, and now your boss is breathing down your neck, demanding answers.
Stay One Step Ahead of Cyber Threats
You know that you need to act quickly — your company’s bottom line, and maybe your job, depends on it.
But there’s a problem.
As the system administrator, you knew the importance of having an incident response plan in place. But sadly, you weren’t proactive, and now you’re flying blind.
No worries; we’ll help guide you through the initial triage.
As a practical matter, if you can identify the source of the intrusion, consider unplugging it from the network and taking a snapshot of its memory. This information is volatile, so time is of the essence.
If the system is essential for business operations, you’ll have to make the difficult choice of either 1.) keeping it online while you diagnose and address the hack, or 2.) pulling the network cord.
Ultimately, this will be a decision for the stakeholders.
If you can’t identify the source, quickly getting up to speed on how your hosts are configured will help you make more informed decisions.
In this article, we’ll address *nix hosts.
The following section will list the most essential commands to help with the initial triage.
So let’s get to it.
Essential Commands for Incident Response Triage
During an incident response, you should gather as much information as possible to understand the scope and impact of the incident, determine its cause, and plan for remediation.
Here’s a list of information you may want to collect from a *nix host, along with the commands to gather the data:
- System information:
- Hostname:
hostname
- Operating system:
uname -a
- Distribution and version:
cat /etc/os-release
- Hostname:
- User and process information:
- List of users:
cat /etc/passwd
- Currently logged-in users:
w
- Running processes:
ps aux
orps -ef
- List of users:
- Network information:
- Network interfaces and IP addresses:
ip addr
orifconfig
- Listening ports and associated processes:
netstat -tuln
orss -tuln
- Active connections:
netstat -tupn
orss -tupn
- Network interfaces and IP addresses:
- File system information:
- Mounted file systems:
df -h
- Directory listings of important locations (e.g., /var/log, /tmp):
ls -l /var/log
andls -l /tmp
- Mounted file systems:
- Logs and audit trails:
- System log:
cat /var/log/syslog
orcat /var/log/messages
- Authentication logs:
cat /var/log/auth.log
orcat /var/log/secure
- Cron logs:
cat /var/log/cron.log
- Custom application logs (depends on your application’s log location)
- System log:
- Bash history:
- Bash history for each user:
cat /home/username/.bash_history
(replace “username” with the actual usernames)
- Bash history for each user:
- Security tools output:
- Check for rootkits: Use tools like
chkrootkit
orrkhunter
- Analyze system for malware: Use tools like
clamscan
(from ClamAV)
- Check for rootkits: Use tools like
- Other important information:
- Installed packages:
dpkg -l
(Debian/Ubuntu) orrpm -qa
(Red Hat/CentOS) - Scheduled tasks:
crontab -l
(for each user) andcat /etc/crontab
- Startup services:
systemctl list-unit-files --type=service
orchkconfig --list
- Installed packages:
Remember to run these commands as a privileged user (e.g., root) to ensure you can access all necessary information.
You may need to modify the commands depending on your Linux distribution and version.
Additionally, consider collecting this information in a structured way, such as creating a script to automate the data-gathering process and output the information to a single file or a series of files for analysis.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional