Identifying unusual processes on Linux involves monitoring system activity and analyzing process behavior. Here are some characteristics and examples of commands that can help you identify unusual processes:
High CPU or Memory Usage
The top command can help you to check processes consuming high CPU usage:
topThis will display an interactive real-time system monitoring screen. By default, processes are sorted by CPU usage. You can also press 1 to show individual CPU cores. Press q to exit.
top - 14:27:45 up 1 day, 3:45, 2 users, load average: 0.25, 0.30, 0.28
Tasks: 210 total, 1 running, 209 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2.0 us, 1.0 sy, 0.0 ni, 97.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 3957.3 total, 149.4 free, 2878.6 used, 929.2 buff/cache
MiB Swap: 2048.0 total, 1915.6 free, 132.4 used. 1005.9 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1653 user 20 0 2013252 254072 52512 S 2.3 6.3 0:14.45 firefox
2345 user 20 0 741828 58392 42504 S 1.0 1.5 0:05.21 gnome-terminal
1892 user 20 0 524964 45528 36708 S 0.7 1.1 0:03.98 nautilus
1423 root 20 0 178024 12940 9412 S 0.3 0.3 0:01.20 systemd-journal
1 root 20 0 181288 9640 6880 S 0.0 0.2 0:01.05 systemd
Processes with their memory usage
To list processes and their memory usage here is the command you can run:
ps aux --sort=-%memThe output of the above command displays information about each process, including the user, process ID (PID), CPU usage (%CPU), memory usage (%MEM), virtual memory size (VSZ), resident set size (RSS), terminal (TTY), process status (STAT), start time, and the command being executed. The list is sorted based on the percentage of memory used in descending order (--sort=-%mem). The specific values and processes will vary depending on your system and its current state.
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
user1 1234 0.0 4.2 2045672 86132 ? Ssl Feb11 0:10 firefox
user1 5678 0.1 3.5 1754680 71568 ? Sl Feb11 1:30 gnome-terminal
user2 9876 0.2 2.8 1356784 57240 pts/0 R+ Feb11 2:15 python3 script.py
root 4321 0.0 2.5 1203456 51236 ? Ssl Feb11 0:05 systemd
user1 1111 0.0 1.2 756432 24568 ? Sl Feb11 0:45 nautilus
user2 9999 0.1 0.8 498764 16832 pts/1 S+ Feb11 1:00 top
Long-Running Processes
Processes running for a prolonged duration may raise suspicion due to potential adverse effects on system resources, including increased CPU and memory usage. Long-running processes might indicate issues such as resource leaks, stalled states, or security concerns.
While some processes, like system daemons or servers, are intended to run continuously, monitoring for unexpected or excessively long-running processes is crucial. Such processes could result from bugs, memory leaks, or malicious activities attempting to remain undetected.
You can combine pgrep and ps commands to find processes matching specific criteria, such as those running for a long time
pgrep -fl ".+" | xargs ps -pUncommon Network Connections
To check if a process is facilitating background file transfer to a remote machine, you can use a combination of commands and tools to inspect network connections, identify active processes, and review file transfer-related activities. Here are some steps you can take:
Check Network Connections
Use the netstat command to inspect active network connections. Look for connections to the remote machine and note the associated processes.
netstat -tulpnThe -t option shows TCP connections, and -u shows UDP connections. Examine the list to identify any connections involving the remote machine and note the associated PID.
Use lsof to Identify Open Files
The lsof command can provide information about open files, including network connections. Check for open files related to the remote machine:
lsof -i | grep <remote_ip_address>Replace <remote_ip_address> with the actual IP address of the remote machine. This will show open files related to network connections with the specified IP.
Monitor Network Traffic
Tools like iftop, nload, or tcpdump can be used to monitor network traffic in real time. Look for patterns of data transfer and identify any suspicious or unexpected connections.
iftopor
nloadCheck Process Details
Examine detailed information about a specific process using the ps command. Identify the process by its PID obtained from the network connection analysis.
ps aux | grep <pid>Replace <pid> with the actual PID of the process. This will show detailed information about the process, including the command being executed.
Inspect Running Services
Check the list of running services on your system to identify any file transfer-related services. You can use the systemctl command or check the configuration files in /etc/systemd/system/ for background services.
systemctl list-units --type=serviceUnknown or Suspicious Files
List open files and their associated processes:
lsofThe output can be extensive and may include open network connections, files, directories, and more. Below is a simplified example of what the lsof command output might look like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
systemd 123 root mem REG 8,1 123456 789012 /lib/x86_64-linux-gnu/libc.so.6
sshd 456 user cwd DIR 8,1 4096 123456 /home/user
sshd 456 user txt REG 8,1 9876543 123457 /usr/sbin/sshd
...Here’s a breakdown of the columns:
- COMMAND: The name of the command or process.
- PID: Process ID.
- USER: The user associated with the process.
- FD: File descriptor.
- TYPE: Type of file (e.g., REG for regular file, DIR for directory).
- DEVICE: Device number.
- SIZE/OFF: Size or offset, depending on the file type.
- NODE: Inode number for the file or directory.
- NAME: The name of the file or directory.
Unusual File Activity
Monitor file system activity:
inotifywatch -r /path/to/directoryUnexpected Listening Ports
Check open ports and associated processes:
netstat -tulpnAnalyze Process Tree
View process hierarchy to identify parent-child relationships:
pstreeMonitor Process Changes
Use auditd to monitor system calls and changes to files
auditctl -w /path/to/directory -p rwxa
ausearch -k watch_directory_changesUnusual User or Group Ownership
Check processes owned by a specific user
ps -u usernameAbnormal Process Priority
The term “Abnormal Process Priority” typically refers to a situation where a process has an unusual or unexpected priority level assigned to it. In the context of operating systems, process priority determines the order in which processes are scheduled to run by the system’s scheduler. Lower-priority processes may receive fewer CPU resources compared to higher-priority ones.
A process priority level is usually represented by a numerical value, with lower numbers indicating higher priority. For example, on Unix-like systems, the nice command is often used to adjust a process’s priority. A lower nice value corresponds to a higher priority. On Windows, process priority is often expressed as one of the following values: Realtime, High, Above Normal, Normal, Below Normal, and Low.
The following command lists processes sorted by the nice value in descending order. Look for processes with unexpected nice values:
ps aux --sort=-niceLook for Suspicious Process Names
Inspect running processes for unusual names:
ps aux | grep -E 'suspicious_name'Check for Zombie Processes
Zombie processes are a phenomenon in Unix-like operating systems where a child process has completed its execution, but its entry in the process table has not been removed. This state occurs during the time between a child process terminating and its parent process collecting its exit status. Zombie processes typically consume very few system resources, but their presence can indicate potential issues in the management of processes.
You can check for zombie processes using the following command:
ps aux | grep 'Z'It’s important to be cautious and investigate further if you notice any unusual processes. Regularly monitoring system activity and using security tools can help maintain a secure Linux environment.
