====== Hacking - Determine if your computer is hacked ======
===== Show a listing of users currently logged in =====
w
returns:
22:14:53 up 9 days, 5:40, 1 user, load average: 1.45, 1.52, 1.45
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
peter :1 :1 17Nov20 ?xdm? 42:26m 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
----
who
returns:
peter :1 2020-11-17 16:34 (:1)
----
===== Show a listing of last logged in users =====
last
returns:
...
peter :0 :0 Sun Aug 9 10:56 - crash (00:28)
reboot system boot 5.4.0-42-generic Sun Aug 9 10:56 - 16:48 (05:52)
peter :0 :0 Sun Aug 9 01:44 - down (09:11)
reboot system boot 5.4.0-42-generic Sun Aug 9 01:44 - 10:55 (09:11)
peter :0 :0 Sat Aug 8 23:48 - down (01:55)
reboot system boot 5.4.0-42-generic Sat Aug 8 23:47 - 01:43 (01:55)
peter :0 :0 Sat Aug 8 23:12 - crash (00:35)
reboot system boot 5.4.0-42-generic Sat Aug 8 23:12 - 01:43 (02:31)
peter :0 :0 Sat Aug 8 22:06 - crash (01:06)
reboot system boot 5.4.0-42-generic Sat Aug 8 22:05 - 01:43 (03:37)
peter :0 :0 Sat Aug 8 18:54 - down (03:11)
reboot system boot 5.4.0-42-generic Sat Aug 8 18:53 - 22:05 (03:11)
...
----
===== Show last command by a user =====
tail -n 100 ~/.bash_history
returns:
...
df
htop
ip addr
sudo apt update
sudo apt upgrade
systemd-resolve --status
sudo systemctl restart systemd-resolved
exit
...
----
===== Find System Files that have recently changed =====
sudo find /etc /var -mtime -2
returns:
...
/etc
/etc/apport
/etc/apport/blacklist.d
/etc/cron.daily
/etc/bash_completion.d
/etc/pm/sleep.d
/etc/grub.d
/etc/default
/etc/default/grub
/etc/default/grub.d
/etc/systemd/system
...