How to Detect and Remove Linux Mining Malware: A Step‑by‑Step Guide

Symptoms of a mining infection

The server shows abnormally high CPU usage (often 50%–100% on multiple cores) and memory consumption, even after a reboot. Other signs include excessive fan noise, unexplained system lag, and suspicious network connections revealed by netstat -natp.

High CPU usage shown by top or htop without any legitimate workload.

Abnormal IP addresses listed by netstat -natp.

Severe overheating and fans running at full speed.

Random system freezes.

Immediate remediation steps

1. Isolate the host and reset the root password

Disconnect the server from the network and change the root password to prevent further remote control.

2. Identify hidden mining processes

Install sysdig and unhide to reveal processes that hide from standard tools.

sudo apt install sysdig

sudo apt install unhide

sudo sysdig -c topprocs_cpu

sudo unhide proc

3. Stop the service that restarts the miner

Use systemctl status <PID> to find the associated .service unit, then stop and disable it.

systemctl stop xxxx.service
systemctl disable xxxx.service

4. Kill the mining process

kill -9 <PID>

After stopping the service, killing the process should bring CPU usage back to normal.

Prevent re‑infection

1. Block malicious IP addresses

netstat -natp

Identify suspicious IPs and drop them with iptables:

sudo iptables -I INPUT -s <IP> -j DROP
iptables -L INPUT -v -n

Persist the rules across reboots using iptables-persistent:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable iptables
sudo systemctl start iptables

2. Remove unknown SSH public keys

cat ~/.ssh/authorized_keys

Delete any keys you do not recognize.

Additional hardening tools

ClamAV – open‑source antivirus

Installation on Debian/Ubuntu:

sudo apt-get update
sudo apt-get install clamav clamav-daemon

Installation on CentOS/RHEL:

sudo yum install epel-release
sudo yum install clamav clamav-update

Update the virus database: sudo freshclam Common scanning commands:

# Scan a single file
clamscan /path/to/file

# Scan a directory recursively
clamscan -r /path/to/directory

# Remove infected files automatically
clamscan --remove -r /path/to/directory

# Save a scan report
clamscan -r /path/to/directory > scanreport.txt

# Show infected files while scanning
clamscan -r --bell -i /path/to/directory

Daemon‑based scanning:

sudo systemctl start clamav-daemon
clamdscan /path/to/file
clamdscan -r /path/to/directory
clamdscan --multiscan --fdpass /path/to/scan

Sysdig – advanced system‑monitoring tool

Install with the official one‑line script (detects the distribution and configures the repository automatically):

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Verify the installation:

sysdig -pc -c topconns

Resolving missing system commands for Safedog

If Safedog aborts due to missing utilities, install them as follows:

# locate command
sudo yum -y install mlocate

# lspci command
sudo yum -y install pciutils

# lsof command
sudo yum -y install lsof

# netstat command
sudo yum -y install net-tools

# killall command
sudo yum -y install psmisc

Common issues

When yum reports “No package available”, enable the EPEL repository:

sudo yum -y install epel-release