Step 1: Monitor Active Network Connections
sudo netstat -tunap | grep ESTABLISHED | grep -E ":[0-9]{1,5}.*ESTABLISHED"Step 2: Look for Suspicious Outbound Connections
sudo lsof -i -n -P | grep ESTABLISHED | grep -v "ssh|http|https"Step 3: Check for Common Shell Binds
sudo ss -tulpn | grep -E "4444|1337|31337|6666|7777"Step 4: Monitor /dev/tcp Usage
grep -r "exec.*/dev/tcp" /var/www/ 2>/dev/nullStep 5: Use rkhunter for Detection
sudo rkhunter --check --sk | grep -i "reverse"