How to Detect and Remove Hidden Linux Mining Malware – A Step‑by‑Step Guide

Linux Server Mining Virus Handling Plan

Infection Overview

The mining process is hidden (CPU usage 50% shown by htop/top but no abnormal process appears), and after killing it the process restarts even though crontab -l shows no scheduled tasks.

1. Infection Symptoms

High CPU usage without any running application (check with top or htop).

Abnormal IP addresses discovered via netstat -natp.

Severe overheating and fan running at full speed.

Server becomes unexpectedly sluggish.

2. Remediation Steps

2.1 Disconnect Network and Change Root Password

Immediately isolate the server from the network and reset the root password.

2.2 Locate Hidden Mining Process

Use sysdig and unhide to find concealed processes.

# Install sysdig
sudo apt install sysdig
# Install unhide
sudo apt install unhide

# Show CPU‑heavy processes (including hidden ones)
sudo sysdig -c topprocs_cpu

# Search hidden processes in /proc
sudo unhide proc

After obtaining the PID, kill it with kill -9 PID. If a new mining process appears quickly, it is being restarted by a service.

2.3 Stop the Malicious Startup Service

Identify the service managing the PID using systemctl status PID. The service name ends with .service. Stop and disable it:

# Stop the service
systemctl stop xxxxX.service
# Disable autostart
systemctl disable xxxxX.service

2.4 Kill the Mining Process

After the service is disabled, kill the process again; CPU usage returns to normal and no hidden processes remain.

kill -9 PID

3. Prevent Future Intrusions

3.1 Identify Suspicious IPs

# List network connections and look for abnormal IPs
netstat -natp

Search the IPs online for more information.

3.2 Block Malicious IPs

# Block IP with iptables
sudo iptables -I INPUT -s <em>IP</em> -j DROP
# Verify the rule
iptables -L INPUT -v -n

Persist the rules after reboot using iptables-persistent:

# Install persistence tool
sudo apt-get install iptables-persistent
# Save current rules
sudo netfilter-persistent save
# Enable on boot
systemctl enable iptables
systemctl start iptables

3.3 Remove Unknown SSH Public Keys

cat ~/.ssh/authorized_keys

Delete any unfamiliar keys immediately.

4. Install Safedog for Protection

Installation instructions: https://www.safedog.cn/install_desc_server.html Manual: https://www.safedog.cn/download/software/safedogfwq_linux_Help.pdf

5. Linux Virus Scanning with ClamAV

Reference: https://www.moewah.com/archives/5296.html

ClamAV is an open‑source antivirus engine offering command‑line scanning, database updates, and rapid response to new threats. It works on Windows, macOS, and Linux.

5.1 Installation

For Debian/Ubuntu:

sudo apt-get update
sudo apt-get install clamav clamav-daemon

For CentOS/RHEL:

sudo yum install epel-release
sudo yum install clamav clamav-update

5.2 Configuration

# Update virus database
sudo freshclam

5.3 Usage

Scanning a single file: clamscan /path/to/your/file Scanning a directory recursively: clamscan -r /path/to/directory Automatically remove detected viruses: clamscan --remove -r /path/to/directory Generate a scan report: clamscan -r /path/to/directory > scanreport.txt Use clamdscan with the ClamAV daemon for faster, multi‑threaded scans:

# Ensure the daemon is running
sudo systemctl start clamav-daemon
# Scan a file
clamdscan /path/to/your/file
# Scan a directory recursively
clamdscan -r /path/to/your/directory
# Multi‑scan with file descriptor passing
clamdscan --multiscan --fdpass /path/to/scan

6. Install Sysdig

Sysdig is a powerful system‑level tracing tool, more capable than strace, tcpdump, or lsof. Install it with a one‑line script:

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Verify the installation:

sysdig -pc -c topconns

7. Resolve Missing Command Errors for Safedog

Install required utilities:

yum -y install mlocate      # locate command
yum -y install pciutils     # lspci command
yum install lsof             # lsof command
yum install psmisc           # killall command

8. Fix "No Available Packages" Errors on CentOS 7

Install the EPEL repository to obtain missing packages:

yum install -y epel-release