How to Detect and Remove Linux Mining Malware: Step-by-Step Guide

1. Check CPU Usage

If your host's CPU usage remains unusually high, it may be infected by a mining trojan that can disrupt other applications and requires immediate investigation.

top -c

2. Clean the Mining Trojan

Isolation and network blocking

Isolate the host promptly.

Block abnormal network communication; mining trojans may also connect to C2 servers.

Check current iptables rules for suspicious addresses or ports that are outside normal business scope. iptables -L -n Remove suspicious addresses and ports from the rules. vi /etc/sysconfig/iptables Block the malicious traffic:

iptables -A INPUT -s <span style="color: rgb(0, 0, 255)">SUSPICIOUS_IP</span> -j DROP
iptables -A OUTPUT -d <span style="color: rgb(0, 0, 255)">SUSPICIOUS_IP</span> -j DROP

Clear scheduled tasks

Mining trojans often persist via cron jobs. List current user’s crontab: crontab -l List a specific user’s crontab: crontab -u username -l Inspect system-wide cron files:

cat /etc/crontab
cat /var/spool/cron
cat /etc/anacrontab
cat /etc/cron.d/*
cat /etc/cron.daily/*
cat /etc/cron.hourly/*
cat /etc/cron.weekly/*
cat /etc/cron.monthly/*
cat /var/spool/cron/*

Remove malicious startup services

For CentOS 7 and earlier: chkconfig --list For CentOS 7 and later: systemctl list-unit-files Disable any identified malicious services:

chkconfig SERVICE_NAME off
systemctl disable SERVICE_NAME

Also inspect common startup directories such as /usr/lib/systemd/system, /etc/rc.d, etc., and remove suspicious entries.

Check and clean /etc/ld.so.preload

This file can be used to preload malicious shared objects. Ensure it is empty or contains only legitimate entries, then clear it:

> /etc/ld.so.preload

Remove unauthorized SSH keys

Inspect ~/.ssh/authorized_keys for unknown keys and delete them.

Terminate and delete malicious processes

Identify mining processes:

top -c
ps -ef

Find the executable path of a suspicious PID: ls -l /proc/$PID/exe Kill the process and remove its file:

kill -9 $PID

Check for other unauthorized listening ports:

netstat -antp

For each suspicious PID, repeat the path‑lookup, kill, and file‑deletion steps.

Search for recently created files that may belong to the trojan:

find /etc -ctime -2
lsof -c kinsing

3. Frequently Asked Questions

Why is the cleanup not thorough? Remove cron jobs, startup services, and daemons before killing mining processes.

How to determine if a process is malicious? Verify the executable path, upload the binary to VirusTotal, or dump the process via cat /proc/$PID/exe > /tmp/t.bin for analysis.

Why does CPU stay near 100% while no process shows high usage? The top binary may be replaced or preloaded with a malicious shared object that hides the real usage. Restoring the original binary or clearing /etc/ld.so.preload resolves the issue.

rm -rf /usr/bin/top && mv /usr/bin/top.original /usr/bin/top

> /etc/ld.so.preload && rm -rf /path/to/malicious.so

Alternatively, replace compromised system binaries with clean copies from a matching system version or use busybox as a temporary toolbox.

yum -y install wget make gcc perl glibc-static ncurses-devel libgcrypt-devel
wget http://busybox.net/downloads/busybox-1.33.0.tar.bz2
tar -jxvf busybox-1.33.0.tar.bz2
cd busybox-1.33.0 && make && make install