Unauthorized Sudo Activity

A Debian-first guide to identifying suspicious sudo usage, reviewing elevated command execution, and containing unauthorized administrative activity.

What this is

Unauthorized sudo activity happens when elevated commands are run without a valid administrative reason. This may indicate compromised credentials, misuse by an unexpected user, or activity after privilege escalation.

Because sudo grants high-impact access, even a small number of suspicious commands deserves attention.

What it looks like

Sudo commands run by a user who should not be performing admin work
Commands involving user creation, service changes, firewall changes, or persistence
Sudo activity at unusual times or after suspicious logins
Unexpected use of shell, networking, or package management tools as root

Detect

Review sudo activity in auth logs

sudo grep -Ei "sudo|COMMAND" /var/log/auth.log

Review successful logins around the same time

sudo grep -Ei "Accepted|session opened" /var/log/auth.log

Review users with sudo access

getent group sudo

Review root-owned processes currently running

ps -U root -u root u

Review related system changes

sudo ufw status numbered
sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f

Contain

Lock a suspicious account if needed

sudo passwd -l <username>
sudo chage -E 0 <username>

Remove unexpected sudo access

sudo deluser <username> sudo

Stop suspicious root processes or services

sudo kill -TERM <PID>
sudo systemctl stop <service_name>

Recover

Review exactly what privileged commands were run

sudo grep -Ei "sudo|COMMAND" /var/log/auth.log

Check for resulting system changes

cut -d: -f1 /etc/passwd
getent group sudo
sudo ufw status numbered
sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f

Review whether the activity led to persistence or wider compromise

sudo find /home /root -name authorized_keys -type f -exec ls -lah {} \; -exec cat {} \;
ps auxf
sudo ss -tpn

Recovery means tracing what the sudo activity changed and whether it was part of a larger compromise chain.

Prevent

Option 1 — Keep sudo membership minimal

getent group sudo

Option 2 — Review auth logs regularly

sudo grep -Ei "sudo|COMMAND|Accepted" /var/log/auth.log

Option 3 — Restrict SSH and admin exposure

sudo ufw allow from <trusted_ip> to any port 22
sudo ufw deny 22

Option 4 — Review system changes after any suspicious login

sudo ufw status numbered
sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f

Option 5 — Prefer SSH keys over password-based admin access

ssh-copy-id user@server_ip

Optional Tools & Hosting

Manual sudo and auth review should come first. Future recommendations may include tools that improve visibility into privileged actions, but the strongest defense is still less exposure and fewer privileged accounts.

Notes

Sudo activity often reveals the moment suspicious access becomes administrative control.
Commands related to users, services, packages, firewall rules, and persistence deserve the closest review.
Look at sudo activity in context with the logins that came just before it.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.