Why I Check for Hidden Processes Every Week on My Linux Servers (And You Should Too) | by Faruk Ahmed | Jun, 2025

#processes #why #check #hidden

Member-only story

Why I Check for Hidden Processes Every Week on My Linux Servers (And You Should Too)

Intro: You trust your server. But can you trust every process running on it? I learned the hard way that even clean installs and limited users aren’t guarantees. Malware, crypto miners, or unauthorized scripts can hide in plain sight — unless you know what to look for. Here’s why I make it a weekly habit to check for hidden or suspicious processes on all my Linux servers, and how you can too.

Why Legit Processes Aren’t Always Innocent Many attackers mask their malicious processes to look like system daemons (e.g., kworker, sshd). You may see them running—but if you don’t inspect their origin, you’ll miss the red flag.
Use ps + lsof to Catch Oddities

ps aux --sort=-%cpu | head

Look for processes using unusual CPU or memory patterns.

Then trace them:

lsof -p <PID>

Check if the files or directories look suspicious (e.g., running from /tmp or /dev/shm).

Compare With What You Expect

Create a baseline on a clean system using:

ps -eo comm | sort | uniq > baseline_processes.txt

👉 Read Full Blog on Medium Here

The Community for IaC Practitioners

Join IaCConf on August 27 for a virtual event that dives into the security and governance challenges of managing infrastructure as code at scale.

DEV Community

Why I Check for Hidden Processes Every Week on My Linux Servers (And You Should Too) | by Faruk Ahmed | Jun, 2025