Step 1 : SSH to the server
Step 2 : Check the server condition :-
- Command : top
- See the suspicious command, we can see if there is something suspicious, it will appear when we run the command “top”
- For example, we can see that the command “Q47Bs0” have high CPU usage and appear at the first line when we run “top” command.
Step 3 : Copy the PID and check :-
- Command : lsof -p <PID>
- Example : lsof -p 30971
- We an see the suspicious domain and the specific path that is attacking.
**Extra notes : This same concept can be used to check if the server load is high and what is causing the load to be high**