How to Analyze Unusual Processes in Linux Systems?

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM


$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM


$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

Identifying unusual processes on Linux involves monitoring system activity and analyzing process behavior. Here are some characteristics and examples of commands that can help you identify unusual processes:

High CPU or Memory Usage

The top command can help you to check processes consuming high CPU usage:


This will display an interactive real-time system monitoring screen. By default, processes are sorted by CPU usage. You can also press 1 to show individual CPU cores. Press q to exit.

top - 14:27:45 up 1 day,  3:45,  2 users,  load average: 0.25, 0.30, 0.28
Tasks: 210 total,   1 running, 209 sleeping,   0 stopped,   0 zombie
%Cpu(s):  2.0 us,  1.0 sy,  0.0 ni, 97.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :   3957.3 total,    149.4 free,   2878.6 used,    929.2 buff/cache
MiB Swap:   2048.0 total,   1915.6 free,    132.4 used.   1005.9 avail Mem

 1653 user      20   0 2013252 254072  52512 S   2.3   6.3   0:14.45 firefox
 2345 user      20   0  741828  58392  42504 S   1.0   1.5   0:05.21 gnome-terminal
 1892 user      20   0  524964  45528  36708 S   0.7   1.1   0:03.98 nautilus
 1423 root      20   0  178024  12940   9412 S   0.3   0.3   0:01.20 systemd-journal
 1     root      20   0  181288   9640   6880 S   0.0   0.2   0:01.05 systemd

Processes with their memory usage

To list processes and their memory usage here is the command you can run:

ps aux --sort=-%mem

The output of the above command displays information about each process, including the user, process ID (PID), CPU usage (%CPU), memory usage (%MEM), virtual memory size (VSZ), resident set size (RSS), terminal (TTY), process status (STAT), start time, and the command being executed. The list is sorted based on the percentage of memory used in descending order (--sort=-%mem). The specific values and processes will vary depending on your system and its current state.

user1     1234  0.0  4.2 2045672 86132 ?       Ssl  Feb11   0:10 firefox
user1     5678  0.1  3.5 1754680 71568 ?       Sl   Feb11   1:30 gnome-terminal
user2     9876  0.2  2.8 1356784 57240 pts/0   R+   Feb11   2:15 python3
root      4321  0.0  2.5 1203456 51236 ?       Ssl  Feb11   0:05 systemd
user1     1111  0.0  1.2  756432 24568 ?       Sl   Feb11   0:45 nautilus
user2     9999  0.1  0.8  498764 16832 pts/1   S+   Feb11   1:00 top

Long-Running Processes

Processes running for a prolonged duration may raise suspicion due to potential adverse effects on system resources, including increased CPU and memory usage. Long-running processes might indicate issues such as resource leaks, stalled states, or security concerns.

While some processes, like system daemons or servers, are intended to run continuously, monitoring for unexpected or excessively long-running processes is crucial. Such processes could result from bugs, memory leaks, or malicious activities attempting to remain undetected.

You can combine pgrep and ps commands to find processes matching specific criteria, such as those running for a long time

pgrep -fl ".+" | xargs ps -p

Uncommon Network Connections

To check if a process is facilitating background file transfer to a remote machine, you can use a combination of commands and tools to inspect network connections, identify active processes, and review file transfer-related activities. Here are some steps you can take:

Check Network Connections

Use the netstat command to inspect active network connections. Look for connections to the remote machine and note the associated processes.

netstat -tulpn

The -t option shows TCP connections, and -u shows UDP connections. Examine the list to identify any connections involving the remote machine and note the associated PID.

Use lsof to Identify Open Files

The lsof command can provide information about open files, including network connections. Check for open files related to the remote machine:

lsof -i | grep <remote_ip_address>

Replace <remote_ip_address> with the actual IP address of the remote machine. This will show open files related to network connections with the specified IP.

Monitor Network Traffic

Tools like iftop, nload, or tcpdump can be used to monitor network traffic in real time. Look for patterns of data transfer and identify any suspicious or unexpected connections.




Check Process Details

Examine detailed information about a specific process using the ps command. Identify the process by its PID obtained from the network connection analysis.

ps aux | grep <pid>

Replace <pid> with the actual PID of the process. This will show detailed information about the process, including the command being executed.

Inspect Running Services

Check the list of running services on your system to identify any file transfer-related services. You can use the systemctl command or check the configuration files in /etc/systemd/system/ for background services.

systemctl list-units --type=service

Unknown or Suspicious Files

List open files and their associated processes:


The output can be extensive and may include open network connections, files, directories, and more. Below is a simplified example of what the lsof command output might look like this:

init      1      root  cwd       DIR                8,1     4096       2 /
systemd   123    root  mem       REG                8,1    123456  789012 /lib/x86_64-linux-gnu/
sshd     456    user  cwd       DIR                8,1     4096  123456 /home/user
sshd     456    user  txt       REG                8,1   9876543  123457 /usr/sbin/sshd

Here’s a breakdown of the columns:

  • COMMAND: The name of the command or process.
  • PID: Process ID.
  • USER: The user associated with the process.
  • FD: File descriptor.
  • TYPE: Type of file (e.g., REG for regular file, DIR for directory).
  • DEVICE: Device number.
  • SIZE/OFF: Size or offset, depending on the file type.
  • NODE: Inode number for the file or directory.
  • NAME: The name of the file or directory.

Unusual File Activity

Monitor file system activity:

inotifywatch -r /path/to/directory

Unexpected Listening Ports

Check open ports and associated processes:

netstat -tulpn

Analyze Process Tree

View process hierarchy to identify parent-child relationships:


Monitor Process Changes

Use auditd to monitor system calls and changes to files

auditctl -w /path/to/directory -p rwxa
ausearch -k watch_directory_changes

Unusual User or Group Ownership

Check processes owned by a specific user

ps -u username

Abnormal Process Priority

The term “Abnormal Process Priority” typically refers to a situation where a process has an unusual or unexpected priority level assigned to it. In the context of operating systems, process priority determines the order in which processes are scheduled to run by the system’s scheduler. Lower-priority processes may receive fewer CPU resources compared to higher-priority ones.

A process priority level is usually represented by a numerical value, with lower numbers indicating higher priority. For example, on Unix-like systems, the nice command is often used to adjust a process’s priority. A lower nice value corresponds to a higher priority. On Windows, process priority is often expressed as one of the following values: Realtime, High, Above Normal, Normal, Below Normal, and Low.

The following command lists processes sorted by the nice value in descending order. Look for processes with unexpected nice values:

ps aux --sort=-nice

Look for Suspicious Process Names

Inspect running processes for unusual names:

ps aux | grep -E 'suspicious_name'

Check for Zombie Processes

Zombie processes are a phenomenon in Unix-like operating systems where a child process has completed its execution, but its entry in the process table has not been removed. This state occurs during the time between a child process terminating and its parent process collecting its exit status. Zombie processes typically consume very few system resources, but their presence can indicate potential issues in the management of processes.

You can check for zombie processes using the following command:

ps aux | grep 'Z'

It’s important to be cautious and investigate further if you notice any unusual processes. Regularly monitoring system activity and using security tools can help maintain a secure Linux environment.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.