Member-only story
What I Check First When a Linux Server Starts Acting Suspicious
--
Share
✍️ Full Blog Content:
Intro:
Your server’s acting strange — maybe it’s lagging, maybe you’re seeing weird logs, or users are locked out. Before panic sets in, there’s a checklist I run through that helps me figure out what’s happening — fast. These are the first 7 things I check when a Linux server smells even a little bit wrong.
1. Who’s Logged In (Right Now)
whow
✅ Look for:
- Users logged in that shouldn’t be
- Multiple logins from odd IPs
- Sessions active at strange hours
2. What Processes Are Running
ps aux --sort=-%cpu | head
✅ Watch for:
- Shells or binaries running from /tmp or /dev/shm
- Long-running scripts
- Unusual process names (misspelled system commands)
3. Any New Cron Jobs?
for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null; donels -l /etc/cron* /var/spool/cron
✅ Red flags:
- Jobs calling curl, wget, or base64
Top comments (0)