Incident Response
Challenge Gallery
Quick Reference
IR First-15-Minutes Checklist
| Step | Command | What You’re Looking For |
|---|---|---|
| 1. Check listeners | ss -tulnp |
Unknown ports (4444, 1337, 31337) |
| 2. Check processes | ps auxf |
Processes in /tmp, /dev/shm, hidden dirs |
| 3. Check sessions | w or who |
Unknown logged-in users |
| 4. Check SSH keys | cat /home/*/.ssh/authorized_keys |
Keys you didn’t put there |
| 5. Check root keys | cat /root/.ssh/authorized_keys |
Any unauthorized keys |
| 6. Check cron (all users) | for u in $(cut -f1 -d: /etc/passwd); do crontab -u $u -l; done |
Suspicious scheduled tasks |
| 7. Check system cron | ls -la /etc/cron.d/ /etc/cron.daily/ |
Unexpected scripts |
| 8. Check accounts | grep ':0:' /etc/passwd |
Extra UID 0 accounts (should only be root) |
| 9. Check SUID | find / -perm -4000 -type f 2>/dev/null |
SUID binaries in unusual locations |
| 10. Check systemd | systemctl list-units --type=service |
Unknown services |
Persistence Detection Commands
| Persistence Type | Detection Command | Red Flag |
|---|---|---|
| Backdoor process | ss -tulnp |
Listener on port 4444, 1337, 31337 |
| Hidden binary | ls -la /tmp/.* /dev/shm/.* 2>/dev/null |
Executables in hidden dirs |
| Cron backdoor | crontab -l; ls /etc/cron.d/ |
curl|bash, /tmp scripts, unknown entries |
| SSH key | cat ~/.ssh/authorized_keys |
Keys with unfamiliar comments |
| UID 0 account | awk -F: '$3==0' /etc/passwd |
Any user besides root with UID 0 |
| SUID binary | find / -perm -4000 -type f |
SUID in /tmp, /home, /var, /dev |
| Systemd service | systemctl list-unit-files --state=enabled |
Unknown .service files |
| Reverse shell | cat /proc/<pid>/cmdline |
/dev/tcp, nc, ncat, bash -i |
| Modified binary | debsums -c 2>/dev/null |
System binaries that don’t match package |
Kill Chain (Remediation Order)
1. Kill active malicious processes (stop the bleeding)
2. Remove cron persistence (stop it from coming back)
3. Remove SSH key persistence (close the door)
4. Delete unauthorized accounts (revoke credentials)
5. Remove SUID backdoors (remove privilege escalation)
6. Remove malicious systemd services (stop auto-restart)
7. Change all passwords (invalidate stolen credentials)
8. Restart affected services (apply changes)
9. Verify with ss -tulnp + ps auxf (confirm clean state)