How to Detect and Remove Cryptocurrency Mining Trojans from Linux Servers

What is a Mining Trojan

Mining trojans consume a host's CPU by running cryptomining calculations, severely affecting other applications. Attackers typically scan the Internet indiscriminately, using SSH brute‑force or exploiting vulnerabilities to gain access, and some variants act as worms to spread within the internal network.

Indicators of Infection

Typical signs include unusually high CPU usage, unknown processes, suspicious scheduled tasks, persistent services, modified startup items, malicious SSH public keys, and altered system binaries.

Common detection methods:

Console monitoring (e.g., top -c)

Checking cloud instance metrics

Reviewing iptables -L -n for unknown addresses

Inspecting cron jobs with crontab -l and system cron files

Cleaning the Mining Trojan

1. Isolate the host – Use security groups or firewall rules to cut off network access.

2. Block abnormal network communication – Identify suspicious IPs/ports in iptables and drop them:

iptables -A INPUT -s <suspicious_ip> -j DROP

iptables -A OUTPUT -d <suspicious_ip> -j DROP

3. Remove scheduled tasks – List and delete malicious cron entries:

crontab -l

crontab -u username -l

cat /etc/crontab

4. Disable malicious services – For CentOS 7 and earlier: chkconfig <service_name> off For CentOS 7 and later: systemctl disable <service_name> 5. Delete malicious startup items – Check directories such as /usr/lib/systemd/system, /etc/rc.d, and remove suspicious unit files.

6. Clear preloaded shared objects – Empty /etc/ld.so.preload if it contains unknown entries: > /etc/ld.so.preload 7. Remove unauthorized SSH keys – Inspect ~/.ssh/authorized_keys and delete any unknown keys.

8. Kill mining processes – Identify high‑CPU processes and terminate them:

top -c

ps -ef

kill -9 <PID>

Delete the corresponding executable files after locating them via: ls -l /proc/<PID>/exe 9. Remove other malicious processes – Use netstat -antp to find listening ports, then kill and delete the associated binaries.

10. Find recently created files – Search for new files that may be part of the trojan:

find /etc -ctime -2

lsof -c kinsing

11. Restore tampered system binaries – Replace compromised tools (e.g., top) with original versions:

rm -rf /usr/bin/top && mv /usr/bin/top.original /usr/bin/top

12. Reinstall busybox for reliable command execution – Install and compile busybox to bypass hijacked utilities:

yum -y install wget make gcc perl glibc-static ncurses-devel libgcrypt-devel

wget http://busybox.net/downloads/busybox-1.33.0.tar.bz2

tar -jxvf busybox-1.33.0.tar.bz2

cd busybox-1.33.0 && make && make install

Frequently Asked Questions

Why does the trojan reappear after cleaning? Because only the process was killed; persistent mechanisms such as cron jobs, systemd services, or startup scripts reinstall the malware.

How to determine if a suspicious process is malicious? Check the executable path with ls -al /proc/<PID>/exe, upload the file to VirusTotal or compute its MD5 for online scanning. If the file is deleted, dump it via cat /proc/<PID>/exe > /tmp/t.bin before analysis.

Why does CPU usage stay near 100% but no process is shown? The trojan may have replaced system commands (e.g., top, ps) with malicious versions that hide its activity. Restoring the original binaries resolves the issue.