Detect and Eradicate Hidden Linux Mining Malware – Complete Step‑by‑Step Guide

Infection Symptoms

The server shows 100% CPU usage on half of its cores, high memory consumption, fan speed, and occasional freezes. The mining process is hidden and does not appear in htop or top. crontab -l shows no scheduled tasks.

High CPU usage without visible processes.

Abnormal IP addresses in netstat -natp output.

Severe overheating and fan noise.

Random server freezes.

Remediation Steps

1. Isolate the host and reset root credentials

Immediately disconnect the server from the network and change the root password to stop further compromise.

2. Locate hidden mining processes

Install sysdig and unhide to reveal concealed processes.

sudo apt install sysdig

sudo apt install unhide

sudo sysdig -c topprocs_cpu   # shows CPU‑intensive processes, including hidden ones

sudo unhide proc   # scans /proc for hidden PIDs

Identify the PID of the mining process.

3. Stop the malicious service

Use the PID to find the responsible systemd unit and stop it.

systemctl status 3084   # replace 3084 with the actual PID

systemctl stop xxxxX.service

systemctl disable xxxxX.service

4. Kill the mining process

kill -9 PID

CPU usage should return to normal and no hidden processes should reappear.

Prevent Future Infections

1. Block abnormal IPs

netstat -natp

Search the displayed IPs online to verify legitimacy, then block malicious ones:

sudo iptables -I INPUT -s <em>IP</em> -j DROP

iptables -L INPUT -v -n   # verify the rule

Persist rules across reboots with iptables-persistent:

sudo apt-get install iptables-persistent

sudo netfilter-persistent save

systemctl enable iptables

systemctl start iptables

2. Remove unknown SSH keys

cat ~/.ssh/authorized_keys

Delete any unfamiliar public keys.

Linux Antivirus – ClamAV

Installation

Debian/Ubuntu:

sudo apt-get update

sudo apt-get install clamav clamav-daemon

CentOS/RHEL:

sudo yum install epel-release

sudo yum install clamav clamav-update

Update virus database

sudo freshclam

Scanning examples

# Scan a single file

clamscan /path/to/your/file

# Recursively scan a directory

clamscan -r /path/to/directory

# Remove infected files automatically

clamscan --remove -r /path/to/directory

# Generate a scan report

clamscan -r /path/to/directory > scanreport.txt

# Use the daemon client for faster scans

sudo systemctl start clamav-daemon

clamdscan /path/to/your/file

clamdscan -r /path/to/your/directory

clamdscan --multiscan --fdpass /path/to/scan

Advanced Process Inspection – Sysdig

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Test the installation: sysdig -pc -c topconns If connection statistics are displayed, Sysdig is installed correctly.

Resolving “No Available Package” Errors

When yum cannot find a package, enable the EPEL repository:

yum install -y epel-release