How to Find Malicious File Running on Linux Server

October 3, 2018 kumind

If you receive below alert on Nagios, usually there is a malicious file running.

SIT-LIN-SHARED:nitrogen
LOAD AVERAGE CRITICAL : 43.78,42.52,37.25

Below are the step to find and stop those files.

1. Login to said server using SSH

2. Use command

#top -c (then use shift+p)

3. Find the user which use highest %CPU usage.
4. Use command below to find the rough location of the script.

#ps aux | grep (user)

5. You will find the domain which contain running malicious script, as per below example.

6. Go to the directory path.
7. Usually the hacker will inject some script to index.php / wp-config.php or other weird spelling file.
8. Open those file and see the script, as per below example.

9. Go to https://www.unphp.net/ and paste the script, you will get the malicious file location.

10. Stop the file from running using chmod 000
11. Make sure you clean the injected file by removing the malicious script.
12. Recheck again using step 2.

You May Also Like

Nagios Plugin Check /mnt

Provision Linux Plesk Check Point

Nagios Monitoring Email Queue

Leave a Reply Cancel reply