Discover our new Ryzen 9 server here
Site Logo

Navigate Server4You
Dedicated ServerVirtual ServerFeaturesContact

Removing Bots & Malware

If you suspect your server has been compromised, follow this guide to track down, terminate, and remove malicious processes — for both Linux and Windows servers.

Act immediately. After cleanup, change all passwords right away and fix the root cause of the compromise — patch outdated software, replace weak passwords, and review which accounts were affected. The server is considered untrusted until the entry point has been identified and closed.

Linux Server
Identify suspicious processes with netstat and /proc, kill the process, and remove the malicious directory.
Go to Linux guide →
Windows Server
Find malicious processes via Task Manager and PowerShell, stop them, and run a full Defender offline scan.
Go to Windows guide →

Linux Server

Step 1: Check for suspicious connections

Use netstat to find unusual open connections — watch for non-standard ports (e.g. 6667 / IRC) or processes with a SYN_SENT status masquerading as legitimate services like sshd:

Terminal
netstat -plant | grep 6667

Step 2: Identify the process path

Once you have the Process ID (PID) from the output, check the actual location of the executable in /proc:

Terminal
ls -l /proc/21394/exe

If the path points somewhere unexpected — like /usr/local/games/.bot/httpd instead of a real system binary — the process is malicious.

Step 3: Kill the process

Forcefully terminate the process using its PID:

Terminal
kill -9 21394

Step 4: Delete the malicious directory

Navigate to the parent directory and recursively delete the malicious folder — this ensures no recovery scripts remain:

Terminal
cd /usr/local/games rm -rf .bot/

Windows Server

Step 1: Find suspicious processes

Open Task Manager (Ctrl+Shift+Esc) → Details tab. Look for processes with unusually high CPU or memory usage, random-looking names, or processes running under an unexpected system user.

Step 2: Identify the process path

To get the full file path of a suspicious process, run the following in PowerShell — replace SuspectProcessName with the name from Task Manager:

PowerShell
Get-Process -Name "SuspectProcessName" | Select-Object Path

If the path points to Temp, AppData, or C:\ProgramData, the process is very likely malicious.

Step 3: Terminate the process

Stop the process via PowerShell using either the PID or the process name:

PowerShell
Stop-Process -Id 9876 -Force Stop-Process -Name "SuspectProcessName" -Force

Step 4: Delete the file and run a scan

Delete the executable file identified in Step 2. Then run a full Offline Scan with Windows Defender to find and isolate all related components — the offline scan runs before Windows boots, so it can catch malware that hides during normal operation.

After Cleanup — Required Actions

Do not skip these steps:
Reset all passwords — immediately change the passwords for all accounts, especially root / Administrator and any user under which the malicious process was running.
Disable compromised accounts — disable all affected or unknown user accounts. On Linux: remove the x from the password field in /etc/passwd. On Windows: disable the account in User Management.
Install all updates — ensure the OS and all installed applications are fully patched to close known vulnerabilities.
Audit your server — review open ports, running services, cron jobs (Linux), and scheduled tasks (Windows) for further traces of the intrusion.