Member-only story
Why I Check for Hidden Processes Every Week on My Linux Servers (And You Should Too)
--
Share
Intro: You trust your server. But can you trust every process running on it? I learned the hard way that even clean installs and limited users aren’t guarantees. Malware, crypto miners, or unauthorized scripts can hide in plain sight — unless you know what to look for. Here’s why I make it a weekly habit to check for hidden or suspicious processes on all my Linux servers, and how you can too.
Why Legit Processes Aren’t Always Innocent Many attackers mask their malicious processes to look like system daemons (e.g., kworker, sshd). You may see them running—but if you don’t inspect their origin, you’ll miss the red flag.
Use ps + lsof to Catch Oddities
ps aux --sort=-%cpu | head
Look for processes using unusual CPU or memory patterns.
Then trace them:
lsof -p <PID>
Check if the files or directories look suspicious (e.g., running from /tmp or /dev/shm).
- Compare With What You Expect
Create a baseline on a clean system using:
ps -eo comm | sort | uniq > baseline_processes.txt
Top comments (0)