How to Detect and Remove Linux Mining Malware: Step‑by‑Step Guide

1. Check CPU Usage

If the host CPU usage remains high, it may indicate a mining trojan that can affect other applications and requires immediate investigation.

top -c

2. Clean Mining Trojan

1) Isolate the host promptly.

2) Block abnormal network communication, as the trojan may connect to mining pools or a C2 server.

Check iptables for suspicious addresses and ports: iptables -L -n Remove suspicious entries from the iptables configuration: vi /etc/sysconfig/iptables Block network traffic to malicious addresses:

iptables -A INPUT -s <suspicious_address> -j DROP
iptables -A OUTPUT -d <suspicious_address> -j DROP

3) Clean scheduled tasks (cron) that provide persistence: crontab -l View tasks for a specific user: crontab -u username -l Inspect system cron files:

cat /etc/crontab
cat /var/spool/cron
cat /etc/anacrontab
cat /etc/cron.d/*
cat /etc/cron.daily/*
cat /etc/cron.hourly/*
cat /etc/cron.weekly/*
cat /etc/cron.monthly/*
cat /var/spool/cron/*

4) Clean startup items that may launch the trojan on boot.

CentOS 7 and earlier: chkconfig --list CentOS 7 and later: systemctl list-unit-files Disable malicious services:

# For CentOS 7 and earlier
chkconfig <service_name> off
# For CentOS 7 and later
systemctl disable <service_name>

Also examine directories such as /usr/lib/systemd/system, /etc/rc.local, /etc/inittab, and the various /etc/rc*.d folders for suspicious entries.

5) Clean malicious shared libraries loaded via /etc/ld.so.preload:

Check the file (normally empty) and remove any malicious entries:

cat /etc/ld.so.preload
# Remove the malicious .so path
rm -f <malicious_so_path>

6) Clean SSH authorized keys that may grant persistent access:

Inspect ~/.ssh/authorized_keys and delete any suspicious keys.

7) Remove the mining process and related malicious binaries:

# Identify mining processes
top -c
ps -ef
# Locate the executable
ls -l /proc/<PID>/exe
# Kill the process
kill -9 <PID>
# Delete the binary file
rm -f <path_to_malware_binary>

Check for unauthorized listening ports and terminate those processes:

netstat -antp

Find recently created files that may be part of the trojan and remove them:

find /etc -ctime -2   # files created in the last 2 days
lsof -c kinsing       # processes related to the kinsing binary

8. Risk assessment and hardening:

Common issues:

Incomplete removal – clean cron, startup items, and daemons before killing processes.

Identifying malicious processes – verify the executable path, upload to VirusTotal, or dump the process binary for analysis.

CPU near 100% while processes show low usage – possible tampering of top or preloaded libraries; restore original binaries.

Restore a tampered top command:

rm -rf /usr/bin/top && mv /usr/bin/top.original /usr/bin/top

Remove malicious preloaded shared objects:

cat /etc/ld.so.preload && rm -rf <malicious_so_path>

If system commands are compromised, replace them with clean copies from a similar system or install busybox to provide reliable utilities:

yum -y install wget make gcc perl glibc-static ncurses-devel libgcrypt-devel
wget http://busybox.net/downloads/busybox-1.33.0.tar.bz2
tar -jxvf busybox-1.33.0.tar.bz2
cd busybox-1.33.0 && make && make install