What do the attackers do after breaking into a server? Well, most of them would try to download malicious programs and use the server to do bad things. But what programs do they download?
nohup). Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious stuff.
mwlist.txt. Alternatively, you can download it.
grep ^[^#] mwlist.txt | cut -f1 -d ' ' | sort > mwlist-md5.txt
/etc, or change to any directory you want to check):
find /etc -type f -print0 | xargs -0 md5sum > hash-etc.txt
cut -f1 -d ' ' hash-etc.txt | sort > hash-etc-md5.txt
commto find common lines between the two files:
comm -12 mwlist-md5.txt hash-etc-md5.txt
EACH_LINE_IN_OUTPUTwith those from Step 5's output:
grep "EACH_LINE_IN_OUTPUT" hash-etc.txt