shell-mastery — Process Forensics
Process & System Quick Hits
Find what’s listening on a port
ss -tlnp | awk 'NR>1{print $4, $7}' | column -tFind process by name
pgrep -a sshd
ps aux | awk '/[s]shd/{print $2, $11}' # bracket trick avoids matching grep itselfKill by name
pkill -f "process_name"Who’s logged in and what they’re running
w
who | awk '{print $1}' | sort -uRecent logins
last -10
lastlog | awk '$NF != "in" && NR>1'System uptime + load
uptime
cat /proc/loadavgFile Forensics
Find files modified in last hour
find / -mmin -60 -type f 2>/dev/nullFind files owned by root that are world-writable
find / -user root -perm -o+w -type f 2>/dev/nullFind SUID binaries
find / -perm -4000 -type f 2>/dev/nullCompare two directories
diff <(ls -la dir1/) <(ls -la dir2/)Find large files consuming disk
find / -xdev -type f -size +100M -exec ls -lh {} \; 2>/dev/null | sort -k5 -rh