Right when I log onto a box the first thing that I check is if there are any other users logged in at the moment.
Who- Show current sessions on the systemlast- Show the last logins
These commands aren't perfect and a better way to find it is to look at the process tree.
ps faux | grep "bash"- List all processes with bash, also good idea to do shpstree -n | grep "bash- Same thing different command
After that theres 2 other things I like to check quickly
alias- list the alias- `ls -l /bin | grep "Feb XX" The last command checks the last edited day of the binarys, if any look suspicious that shouldn't have been edited recently be careful. Also do this on both /bin and /sbin
We'll come back to make backups later.
Quicky check files for immutability like /etc/password /etc/shadow /etc/group then CHANGE YOUR PASSWORD AND DONT FORGET ABOUT ROOT. Having a password list beforehand is good. Make a backup user now with admin privs.
Check out the passwd, group, sudoers, and sudoers.d files to find out some permissions on the system. Fix any that look bad please.
Cron is a proccess that runs commands at a set time interval.
crontab -l- List crontabs for the usercrontab -r- delete users crontabs Not perfect though, a weird user could have some so go to /var/spool/cron and check the directory for cron files. If any are bad remove them. Also some cron files in /etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly These files can be edited to run quicker so be careful.
netstat -tulpa- List all proccesses and the names, add 'n' to show port numbers
cp -R /bin /home/<user>/bin_backup- Make a backup of the system executables, also need to do this with sbin. This way you can have a working version.
Build out your firewall and please don't lock yourself out.
These files are in /etc/ssh/
Arp table Hostnames