Master Linux Incident Response: Detect, Remove, and Harden Malware Step‑by‑Step

Overview

Linux incident response is often more challenging than Windows because it lacks built‑in tools like Autorun or Process Explorer and has no standardized response workflow. This article outlines a four‑stage process: identify symptoms → remove the virus → close the loop → harden the system.

Identify Symptoms

Start from observable host anomalies and look for suspicious behavior.

Check CPU Usage

List processes sorted by CPU usage: top Processes with >70% CPU and suspicious names are likely mining malware.

Inspect Process Command Lines

Show full command lines: ps -aux Look for unusual strings such as URLs, which often indicate a downloader.

Security Gateway Alerts

Use alerts to pinpoint threats, then monitor the associated process for C&C communication: while true; do netstat -antp | grep [ip]; done If the threat uses a domain whose IP changes, add a redirection rule to /etc/hosts and monitor the host entry to capture the malicious process.

Search Command History

Search the shell history for malicious commands:

history

Remove the Virus

Terminate Malicious Processes

ps -elf | grep [pid]
kill -9 [pid]

Delete Virus Files

Find the executable path of the infected process and remove it:

ls -al /proc/[pid]/exe
rm -f [exe_path]

Close the Loop (Persistence Removal)

Linux persistence mechanisms are fewer than Windows but include scheduled tasks, services, modified binaries, and hidden daemons.

Check Suspicious Cron Jobs

crontab -l

cat /etc/anacrontab

Inspect Services

service --status-all

Find Recently Modified Binaries

find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 | xargs ls -la

Detect Malicious Daemons

lsof -p [pid]

strace -tt -T -e trace=all -p $pid

Scan for Malicious Drivers

lsmod

Install and run rootkit scanners:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
 tar zxvf chkrootkit.tar.gz
 cd chkrootkit-0.52
 make sense.
 ./chkrootkit

wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz
 tar -zxvf rkhunter-1.4.4.tar.gz
 cd rkhunter-1.4.4
 ./installer.sh --install
 rkhunter -c

SSH Weak‑Password Audit

List successful logins:

grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'

Identify brute‑force source IPs:

grep "Failed password" /var/log/secure | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq -c

Show usernames/passwords used in failed attempts:

grep "Failed password" /var/log/secure | perl -e 'while($_=<>){ /for(.*?) from/; print "$1
";}' | uniq -c | sort -nr

Add Command Auditing

Increase history size and record IP, timestamp, and user for each command:

sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile

USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
  USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Patch Common Web Vulnerabilities

Apply patches for known exploits such as structs2 RCE, ThinkPHP5 X‑RCE, Redis unauthorized access, Confluence CVE‑2019‑3396, Drupal CVE‑2018‑7600, ThinkPHP CVE‑2019‑9082.

Conclusion

Linux malware primarily consists of botnet worms and mining trojans (e.g., DDG, systemdMiner, BillGates, watchdogs, XorDDos). Because Linux servers are often exposed to the Internet and web applications contain vulnerabilities, they are easy targets. Adopt strong passwords, regularly apply patches, and follow the outlined response workflow to mitigate infections.