File me tickets or star the repo.
Read more: https://www.dennyzhang.com/suspicious_process
Scan all OS processes. Check them against a whitelist.
Any processes not in the list is supposed to be suspicious.
git clone https://github.com/DennyZhang/detect_suspicious_process.git
cd detect_suspicious_process
# Prepare a whilelist. Each line is a regexp
cat > /tmp/whitelist.txt << EOF
/sbin/getty -.*
dbus-daemon .*
acpid -c /etc/acpi/events -s /var/run/acpid.socket$
atd$
cron$
/lib/systemd/systemd-udevd --daemon$
/lib/systemd/systemd-logind$
dbus-daemon --system --fork$
/usr/sbin/sshd -D$
rsyslogd$
/usr/sbin/mysqld$
/usr/sbin/apache2 -k start$
EOF
# List all "suspicious" process
python ./detect_suspicious_process.py --whitelist_file /tmp/whitelist.txt
# List "suspicious" process count
python ./detect_suspicious_process.py --whitelist_file /tmp/whitelist.txt | wc -l
Denny:dennyzhang.com denny$ ./detect_suspicious_process.py --help
usage: detect_suspicious_process.py [-h] [--whitelist_file WHITELIST_FILE]
optional arguments:
-h, --help show this help message and exit
--whitelist_file WHITELIST_FILE
config file for whitelist
- Code is licensed under MIT License.
