Master Linux Incident Response: Detect, Remove, and Harden Malware Step‑by‑Step

Linux incident response is more challenging than Windows because it lacks built‑in tools; this article outlines a four‑stage process—identifying anomalies, removing the malware, closing persistence, and hardening the system—providing concrete shell commands for each step.

01 Identify Symptoms

Begin with abnormal host behavior, check CPU usage, enumerate processes, and examine command lines to spot suspicious activity. Review security‑gateway alerts for malicious IPs or domains. top Sort processes by CPU usage (descending) to find high‑load, suspicious names, often indicating mining malware. ps -aux Search for unusual command‑line strings that may contain downloader URLs. netstat -antp | grep [ip] When the gateway reports a domain, add a bogus entry to /etc/hosts to redirect it and monitor the associated process.

02 Remove Virus

Use the information gathered in the first stage to locate the malicious process and its executable file, then terminate and delete them.

ps -elf | grep [pid]
kill -9 [pid]

ls -al /proc/[pid]/exe
rm -f [exe_path]

03 Close Loop (Persistence Removal)

Check for suspicious scheduled tasks, services, and system files that may resurrect the malware.

crontab -l

cat /etc/anacrontab

service --status-all

Search for recently modified binaries (within 7 days) to detect hijacked files.

find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 | xargs ls -la

Inspect open files and system calls of suspicious processes.

lsof -p [pid]

strace -tt -T -e trace=all -p $pid

Scan for rootkits and hidden drivers using chkrootkit and rkhunter.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
 tar zxvf chkrootkit.tar.gz
 cd chkrootkit-0.52
 make sense
 ./chkrootkit

wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz
 tar -zxvf rkhunter-1.4.4.tar.gz
 cd rkhunter-1.4.4
 ./installer.sh --install
 rkhunter -c

04 System Hardening

Patch common web vulnerabilities and strengthen SSH authentication.

grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'

grep "Failed password" /var/log/secure | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | uniq -c

Increase command‑history size and record execution timestamps with source IP.

sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile

USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then USER_IP=`hostname`; fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Apply patches for known web exploits such as structs2 RCE, ThinkPHP 5.x RCE, Redis unauthorized access, Confluence CVE‑2019‑3396, Drupal CVE‑2018‑7600, and ThinkPHP CVE‑2019‑9082.

Linux servers are frequently targeted by botnet worms and cryptomining malware; maintaining strong passwords, regular patching, and the above response workflow are essential to mitigate these threats.