# less /etc/passwd/p> p># grep :0: /etc/passwd（檢查是否產(chǎn)生了新用戶，和UID、GID是0的用戶）/p> p># ls -l /etc/passwd（查看文件修改日期）/p> p># awk -F: ‘$3= =0 {print $1}’ /etc/passwd（查看是否存在特權(quán)用戶）/p> p># awk -F: ‘length($2)= =0 {print $1}’ /etc/shadow（查看是否存在空口令帳戶）

# last
（查看正常情況下登錄到本機(jī)的所有用戶的歷史記錄）

# ps -aux（注意UID是0的）/p> p># lsof -p pid（察看該進(jìn)程所打開端口和文件）/p> p># cat /etc/inetd.conf | grep -v “^#”（檢查守護(hù)進(jìn)程）/p> p>檢查隱藏進(jìn)程/p> p># ps -ef|awk ‘{print }’|sort -n|uniq >1/p> p># ls /porc |sort -n|uniq >2/p> p># diff 1 2

# find / -uid 0 –perm -4000 –print/p> p># find / -size +10000k –print/p> p># find / -name “…” –print/p> p># find / -name “.. ” –print/p> p># find / -name “. ” –print/p> p># find / -name ” ” –print/p> p>注意SUID文件，可疑大于10M和空格文件
# find / -name core -exec ls -l {} \
（檢查系統(tǒng)中的core文件）/p> p>檢查系統(tǒng)文件完整性/p> p># rpm –qf /bin/ls/p> p># rpm -qf /bin/login/p> p># md5sum –b 文件名/p> p># md5sum –t 文件名

# rpm –Va
輸出格式：/p> p>S – File size differs/p> p>M – Mode differs (permissions)/p> p>5 – MD5 sum differs/p> p>D – Device number mismatch/p> p>L – readLink path mismatch/p> p>U – user ownership differs/p> p>G – group ownership differs/p> p>T – modification time differs/p> p>注意相關(guān)的 /sbin, /bin, /usr/sbin, and /usr/bin

# ip link | grep PROMISC（正常網(wǎng)卡不該在promisc模式，可能存在sniffer）/p> p># lsof –i/p> p># netstat –nap（察看不正常打開的TCP/UDP端口)/p> p># arp –a

注意root和UID是0的schedule/p> p># crontab –u root –l/p> p># cat /etc/crontab/p> p># ls /etc/cron.*

# cat /etc/crontab/p> p># ls /var/spool/cron//p> p># cat /etc/rc.d/rc.local/p> p># ls /etc/rc.d/p> p># ls /etc/rc3.d/p> p># find / -type f -perm 4000

# lsmod

# chkconfig/p> p># rpcinfo -p（查看RPC服務(wù)）

# rkhunter -c/p> p># chkrootkit -q