BestHub
Sign in
Information Security 11 min read

How to Detect and Remove Hidden Crypto‑Mining Malware on Linux Servers

This guide explains how to identify hidden crypto‑mining processes on a Linux server, stop the malicious services, block suspicious IPs, secure the system with tools like SafeDog and ClamAV, and install Sysdig for deeper forensic analysis.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Detect and Remove Hidden Crypto‑Mining Malware on Linux Servers

Linux Server Crypto‑Mining Malware Removal Guide

Overview

Situation: the mining process is hidden (CPU usage 50% shown by htop/top but no abnormal process appears), and after killing the mining process it restarts immediately (no cron job found via crontab -l).

1. Symptoms of Infection

The 24‑core server shows 12 cores constantly at 100% CPU, even after reboot, and high memory usage. Additional signs include:

High CPU usage without any user‑started software (check with top or htop).

Abnormal IP addresses discovered via netstat -natp.

Severe overheating and fan running at full speed.

Unexplained server lag.

2. Remediation Steps

2.1 Disconnect Network and Change Root Password

When a mining virus is detected, immediately disconnect the network and change the root password.

2.2 Locate Hidden Mining Processes

Use sysdig and unhide to search for hidden processes.

# Install sysdig
sudo apt install sysdig
# Install unhide
sudo apt install unhide
# Show CPU usage ranking to reveal hidden processes
sudo sysdig -c topprocs_cpu
# Search hidden processes in the proc directory
sudo unhide proc

After finding the PID, killing it with kill -9 PID only stops it temporarily because a service restarts it.

2.3 Stop the Malware Startup Service

Use the PID found by unhide proc and check its systemd unit with systemctl status PID. The service ending with .service is the malware starter.

# systemctl status 3084  # 3084 is the virus PID
# Stop the service
systemctl stop xxxxX.service
# Disable it from starting at boot
systemctl disable xxxxX.service

2.4 Kill the Mining Process

After disabling the startup service, kill the process; CPU usage returns to normal and no hidden processes remain.

kill -9 PID

3. Prevent Future Intrusions

3.1 Identify Suspicious IPs

# Show network connections and look for abnormal IPs
netstat -natp

Search the IP on the web for more information.

3.2 Block Suspicious IPs

Use iptables to block the IP and save the rule permanently with iptables‑persistent.

# Block the IP
sudo iptables -I INPUT -s IP -j DROP
# Verify the rule
iptables -L INPUT -v -n
# Install iptables‑persistent
sudo apt-get install iptables-persistent
# Save rules
sudo netfilter-persistent save
# Enable on boot
systemctl enable iptables
systemctl start iptables

3.3 Check for Unknown SSH Public Keys

cat ~/.ssh/authorized_keys

If any unfamiliar keys are found, delete them immediately.

4. Install SafeDog for Protection

Installation guide: https://www.safedog.cn/install_desc_server.html Manual: https://www.safedog.cn/download/software/safedogfwq_linux_Help.pdf

Below is the UI after successful installation of SafeDog.

5. Use ClamAV for Linux Malware Scanning

Reference: https://www.moewah.com/archives/5296.html

ClamAV is an open‑source antivirus engine that provides command‑line scanning, custom virus database updates, and rapid response to new threats. It works on Windows, macOS, and Linux.

5.1 Installation

# Debian/Ubuntu
sudo apt-get update
sudo apt-get install clamav clamav-daemon
# CentOS/RHEL
sudo yum install epel-release
sudo yum install clamav clamav-update

5.2 Configuration

After installation, update the virus database:

sudo freshclam

5.3 Usage

Common clamscan examples:

# Scan a single file
clamscan /path/to/your/file
# Scan a directory recursively
clamscan -r /path/to/directory
# Automatically remove detected viruses
clamscan --remove -r /path/to/directory
# Generate a scan report
clamscan -r /path/to/directory > scanreport.txt
# Ring a bell and show infected files
clamscan -r --bell -i /path/to/directory
clamdscan

is the client for the ClamAV daemon ( clamd), enabling faster, multi‑threaded scans.

# Ensure the daemon is running
sudo systemctl start clamav-daemon
# Scan a file with the daemon
clamdscan /path/to/your/file
# Scan a directory recursively
clamdscan -r /path/to/your/directory
# Multi‑threaded recursive scan
clamdscan --multiscan --fdpass /path/to/scan

6. Install Sysdig on Linux

Sysdig is a powerful system‑level tool that surpasses strace, tcpdump, and lsof combined. It captures system state, saves data, and allows filtering and analysis.

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Test the installation:

sysdig -pc -c topconns
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxiptablessysdigMalware RemovalClamAVcrypto mining
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment