How to Detect and Remove Hidden Mining Malware from a Linux Server

Server became inaccessible and SSH extremely slow.

Using top revealed a high load average; the top process was an unknown "minerd". Research showed minerd is a cryptocurrency mining program, indicating a compromise.

Checked the process with ps -ef | grep minerd, found the executable in /tmp, killed it and removed the file. Load returned to normal.

Because the trojan can rename, copy, and auto‑run, continued monitoring. Later a new process "klll" appeared, which was also killed and its file deleted.

To close the breach, performed the following remediation steps:

Reviewed scheduled tasks and removed any unknown entries ( crontab -l, more /etc/crontab).

Checked startup scripts and disabled unnecessary services ( chkconfig --list | grep 3:on, examined /etc/rc.d/rc.local and /etc/rc.local).

Audited user accounts, disabled logins for non‑essential users and strengthened passwords.

Changed the SSH port and configured an IP whitelist for SSH access.

After rebooting and monitoring, the system remained stable. Further investigation of web applications is recommended.