/etc/passwd
grep 0 /etc/passwd
[root@node01 ~]# awk -F":" '{if($3==0){print $1}}' /etc/passwd root
[root@node01 ~]# awk -F: '{if(length($2)==0){print $1}}' /etc/passwd
lsof -p pid
lsof -i:80
ps -ef | awk '{print $2}' | sort -n | uniq > 1 ls /proc/ | sort -n | uniq > 2 diff 1 2
find / -uid 0 -perm 4000 -print find / -size +10000k -print find / -name "..." -print find / -name ".." -print find / -name "." -print find / -name "" -print
SUID文件,可疑大于10M和空格文件
find / -name core -exec ls -l {} \
系统中的core文件
rpm -qf /bin/ls rpm -qf /bin/login md5sum -b FILENAME md5sum -t FILENAME
ip link | grep PROMISC
netstat -nap arp -a
last root | awk '{print $3}' | sort | uniq -c | sort -nr | more
crontab -u root -l cat /etc/crontab ls /etc/cron.* ls /var/spool/cron/
cat /etc/rc.d/rc.local ls /etc/rc.d ls /etc/rc3.d find / -type f -perm 4000
chkconfig --list