Master Linux Incident Response: Step‑by‑Step Virus Detection and Removal

Overview

Handling emergency response incidents on Linux can be challenging because Linux lacks dedicated tools like Autorun or Process Explorer and does not have a unified response workflow. This article explains a Linux incident response process and provides the shell commands used at each stage to help you quickly and systematically handle Linux malware.

The response is divided into four stages: identify symptoms → remove the virus → close the loop → system hardening.

Identify Symptoms

First, detect abnormal host behavior through system status and security alerts to confirm suspicious activity.

Check CPU usage; high CPU (>70%) with a suspicious process name often indicates a mining virus.

List processes sorted by CPU:

top

Inspect process command lines:

ps -aux

Look for unusual command‑line strings (e.g., URLs) that may indicate a downloader.

Security Gateway Alerts

Use gateway alerts to spot threats, then identify which process is communicating with C&C servers.

<code>while true; do netstat -antp | grep [ip]; done</code>

If the malicious entity is a domain with changing IPs, add a rule to

/etc/hosts

to redirect the domain to a random IP and monitor the associated process.

Suspicious History Commands

Search the host’s command history for malicious commands:

<code>history</code>

Remove Virus

Use the information gathered in the first stage to locate and terminate virus processes and delete infected files.

Terminate Virus Process

<code>ps -elf | grep [pid]
kill -9 [pid]</code>

Delete Virus Files

<code>ls -al /proc/[pid]/exe
rm -f [exe_path]</code>

Close Loop (Persistence Removal)

Linux malware persistence methods are fewer than Windows but include scheduled tasks, malicious services, hijacked system files, and daemon processes.

Check Suspicious Cron Jobs

<code>crontab -l</code>

View anacron tasks:

<code>cat /etc/anacrontab</code>

Check Suspicious Services

<code>service --status-all</code>

Search for modified system binaries in the last 7 days:

<code>find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 | xargs ls -la</code>

Inspect potential daemon processes:

<code>lsof -p [pid]</code>

Scan for Malicious Drivers

<code>lsmod</code>

Use

chkrootkit

and

rkhunter

for rootkit detection:

<code>wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
 tar zxvf chkrootkit.tar.gz
 cd chkrootkit-0.52
 make sense
 ./chkrootkit</code>

<code>wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz
 tar zxvf rkhunter-1.4.4.tar.gz
 cd rkhunter-1.4.4
 ./installer.sh --install
 rkhunter -c</code>

Command Auditing

Enhance history logging with IP address, timestamp, and user information.

<code>sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile</code>

<code>USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
  USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"</code>

<code>source /etc/profile</code>

Patch Common Web Vulnerabilities

Apply patches for known RCE vulnerabilities such as structs2, ThinkPHP5, Redis unauthorized access, Confluence (CVE‑2019‑3396), Drupal (CVE‑2018‑7600), ThinkPHP (CVE‑2019‑9082).

Conclusion

Linux malware mainly consists of botnet worms and mining viruses. Because Linux servers are often exposed to the Internet and web applications have frequent vulnerabilities, large‑scale infections are common (e.g., DDG, systemdMiner, BillGates, watchdogs, XorDDos). Adopt strong passwords, regularly patch systems, and follow the steps above to detect, eradicate, and prevent future infections.