Logicalwebhost Cheatsheet

Linux & Open Source Cheatsheets & Howto's

Network forensics

How to find who’s doing what on your boxes:

What it is

What it does

find / -user youruser

finds all files owned by “youruser”

find /directory_path -mtime -1 -ls

find files that have changes in the past 24 hours

htop

shows what processes are using cpu/mem etc

iftop -i eth0

shows traffic on eth0 realtime

iptables -L

shows what your firewall rules are

kill 1234

kills a process with an id of 1234. You find out what process id is by doing “ps aux | grep whateverprocessname”

lsof -i

shows who’s connecting to what process on your box

netstat -plnt

shows what processes are listening on what port, and what PID they are

ps aux | grep apache2

shows what processes apache2 is running, in case you want to kill them

who

shows who’s logged in

Where to look	What to look for
/var/log/auth.log	look for successful logins, especially as user ‘root’. You can search in vi using ‘/’ then typing what you want to search for

Write a comment

You need to login to post comments!

Introduction

I got tired of trying to remember all this stuff so I put it in a wiki, but dirtbag spammers constantly beat on it, so I'm trying a blog format. Use it if you find it useful...Got questions or subjects for new howto's? Drop me a line here

M	T	W	T	F	S	S
« May
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Logicalwebhost Cheatsheet

Network forensics

Write a comment

Introduction

Pages

Archive

Tags

Categories

Meta