Suspicious Processes

A Debian-first guide to reviewing abnormal processes, tracing what launched them, checking network activity, and responding safely.

What this is

Suspicious processes are running programs that do not fit your normal system behavior, appear under unusual names, consume unexpected resources, execute from odd locations, or maintain unexplained network connections.

In many cases, suspicious processes are one of the earliest visible signs that something went wrong.

What it looks like

Unknown processes running as root or a service account
Programs executing from /tmp, /dev/shm, or user home directories
Unexpected CPU or memory usage
Strange parent-child process chains
Processes maintaining unexplained outbound connections

Detect

List running processes in a readable format

ps aux --sort=-%cpu | head -n 25

Review the process tree

ps auxf

A suspicious shell or script often makes more sense when you see what launched it.

Check what is listening or connected

sudo ss -tulnp
sudo ss -tpn

This helps correlate processes with ports and active connections.

Find processes running from unusual locations

ps aux | grep -E "/tmp|/dev/shm|/var/tmp|/home/"

Inspect the executable path of a suspicious PID

sudo readlink -f /proc/<PID>/exe
sudo ls -lah /proc/<PID>/cwd
sudo tr '\0' ' ' < /proc/<PID>/cmdline; echo

Contain

Block suspicious outbound traffic if needed

sudo ufw deny out to <IP_ADDRESS>

If a process is communicating with an untrusted endpoint, contain the network path before making deeper changes.

Stop a process carefully

sudo kill -TERM <PID>
sudo kill -KILL <PID>

Prefer TERM first. Use KILL only when necessary.

Temporarily disable the launching service if applicable

sudo systemctl stop <service_name>
sudo systemctl disable <service_name>

Recover

Identify how the process started

ps auxf
sudo systemctl list-units --type=service --state=running
crontab -l
sudo crontab -l

Recovery means finding the source, not just killing the symptom.

Hash and inspect the executable

sha256sum /path/to/binary
file /path/to/binary
strings /path/to/binary | less

Check for persistence nearby

sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f
sudo find /etc/systemd /lib/systemd -type f | less

If the process was malicious or unexplained, review related accounts, startup paths, and recent file changes before assuming the system is clean.

Prevent

The best defense is reducing what can run, where it can run from, and how quickly you notice something abnormal.

Option 1 — Review running services regularly

sudo systemctl list-units --type=service --state=running

Option 2 — Watch temporary directories

sudo ls -lah /tmp
sudo ls -lah /dev/shm
sudo ls -lah /var/tmp

Option 3 — Minimize unnecessary software

sudo apt list --installed

Option 4 — Restrict exposed services

sudo ss -tulnp
sudo ufw status numbered

Option 5 — Review outbound connections

sudo ss -tpn

Optional Tools & Hosting

Manual process review should come first. Future recommendations may include options that make service visibility, alerting, or host isolation easier, but the core workflow remains command-driven and Debian-first.

Notes

Not every unfamiliar process is malicious.
The strongest indicator is usually a combination of odd path, odd user, and odd network behavior.
Killing a process without finding its launch point often solves nothing.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.