How I Spot a Suspicious Process on My Linux Server (Before It Does Damage) | by Faruk Ahmed | Jun, 2025
#process#spot#linux#server
Faruk

Faruk @cyberwebpen

About: InfoSec Analyst | 10+ yrs in DLP, CrowdStrike, QRadar, Qualys, Linux Admin, WebLogic Admin | Python & Bash Enthusiast | Passionate about cybersecurity, automation, and continuous learning.

Joined:
Apr 27, 2025

How I Spot a Suspicious Process on My Linux Server (Before It Does Damage) | by Faruk Ahmed | Jun, 2025

Publish Date: Jun 8
0 1

Member-only story

How I Spot a Suspicious Process on My Linux Server (Before It Does Damage)

--

Share

One strange PID. One weird name. That’s all it takes for a compromise to start — silently.

Over the years, I’ve learned to read a process list like a detective. In this blog, I’ll share exactly what I look for when I suspect a Linux server is misbehaving — and how you can spot malicious processes before they take control.

🧠 Step 1: Always Check With ps, Not Just top

Why? Because top refreshes live and can miss fast-spawning processes.

ps aux --sort=-%cpu | headps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head
Enter fullscreen mode Exit fullscreen mode

✅ What I look for:

  • bash or sh running under unusual users
  • Commands like curl, wget, python inside a shell
  • Anything running from /tmp or /dev/shm

🧪 Step 2: Look for Process Names That Try to Blend In

Attackers love hiding in plain sight. They’ll name things like:

  • [kworker/0:1]
  • sshd (but fake)
  • cron (but not started by root)

👉 Read Full Blog on Medium Here

Comments 1 total

Add comment