Discover our new Ryzen 9 server here
Site Logo

Navigate Server4You
Dedicated ServerVirtual ServerFeaturesContact

Removing Bots and Malware: Cross-System Guide

If you suspect your server has been compromised, follow the guide for your specific operating system to track down, terminate, and remove malicious processes.


ATTENTION – Critical Steps: Immediate removal is crucial. After cleanup, you must immediately change all passwords and fix the root cause of the compromise (e.g., patch outdated software or replace weak passwords).

1. Investigation and Process Identification

The first phase is to find the malicious process, determine its actual location, and identify the user account under which it is running.

Linux Server (netstat, /proc)

1.1 Check for Open Connections

Use the netstat command to look for suspicious open connections. Watch for unusual ports (like 6667 / IRC) or processes that have a SYN_SENT status and are masquerading as legitimate services.

Find Suspicious Connections
[root@server123~]# netstat -plant|grep 6667 tcp 0 1 69.64.x.x:53982 62.231.74.x:6667 SYN_SENT 21394/sshd

1.2 Identify the Process Path

Using the Process ID (PID), check the actual location of the executable file in the /proc directory. The result should show that the process (PID 21394 in the example) is not the genuine sshd.

Find Executable Path from PID
[root@server123~]# ls -l /proc/21394/exe lrwxrwxrwx 1 kingdom kingdom 0 Apr 17 10:31 /proc/21394/exe -> /usr/local/games//.bot/httpd

Windows Server (Task Manager, PowerShell)

1.1 Check Processes in Task Manager

Open Task Manager (Ctrl+Shift+Esc) and switch to the "Details" tab. Look for processes that:

  • Show unusually high CPU or memory usage.
  • Have unusual or randomly generated names.
  • Are running under an incorrect system user.

1.2 Find Process Path via PowerShell

Use PowerShell to determine the full path of a suspicious executable file (EXE). Replace SuspectProcessName with the name you found in the Task Manager.

Find Executable File Path
Get-Process -Name "SuspectProcessName" | Select-Object Path

If the path points to Temp, AppData, or a directory like C:\ProgramData, the process is likely malicious.

2. Terminating the Process and Deleting Files

Once identified, the process must be stopped, and the malicious files must be removed.

Linux Server (kill, rm)

2.1 Kill the Process

Forcefully terminate the malicious process using kill -9.

Kill the Process (PID in example: 21394)
[root@server123 .bot]# kill -9 21394

2.2 Remove the Malicious Directory

Recursively remove the entire directory (e.g., .bot/ in the example) to ensure no recovery scripts remain.

Remove the Directory
[root@server123 .bot]# cd .. [root@server123 games]# rm -rf .bot/

Windows Server (PowerShell, Defender)

2.1 Terminate the Process

Stop the identified process using PowerShell with either the Process ID (PID) or the name.

Terminate Process (PowerShell)
# If you know the PID: Stop-Process -Id 9876 -Force # If you know the name: Stop-Process -Name "SuspectProcessName" -Force

2.2 Remove Malware and Scan

Delete the executable file you identified in Step 1.2. Immediately thereafter, start a full Offline Scan with Windows Defender or your preferred antivirus software to find and isolate all related components in the system.

3. Critical Security Measures (Cross-System)

After the malware has been removed, you must close the security gaps through which the attacker gained entry:

Required Hardening Actions:

  • Password Reset: Immediately change the password for all affected user accounts, especially root / Administrator and any users under which the malicious process was running.
  • Account Disablement: Disable all compromised or unknown user accounts. (Linux: Remove the 'x' from the password field in /etc/passwd. Windows: Disable the account in User Management.)
  • Patch Management: Ensure all system and application updates are installed to close known vulnerabilities.