Member-only story
5 Linux Commands Hackers Use (And How to Detect Them on Your Server)
--
Share
✍️ Full Blog Content:
Intro:
When attackers breach a Linux server, they don’t waste time — they run specific commands to escalate privileges, move laterally, or wipe traces. By learning to recognize these commands, you can detect compromise early. These 5 commands show up in real-world attacks — and here’s how to find them before they cost you everything.
1. whoami / id
Attackers check which user they’re running as.
✅ How to Detect: Search bash history or audit logs:
grep 'whoami' ~/.bash_historyausearch -k privilege_check✅ Preventative Tip: Use AuditD:
auditctl -w /usr/bin/whoami -p x -k privilege_check2. uname -a
Used to fingerprint the kernel and OS version — to find known vulnerabilities.
✅ How to Detect:
grep 'uname -a' ~/.bash_history✅ Bonus: Run lynis or oscap to check your system for kernel-specific vulnerabilities.
