This article chronicles the discovery of a server breach used for cryptocurrency mining, analyzes the malicious Python payload and its system modifications, and provides concrete remediation steps such as system reinstall, non‑root deployment, firewall hardening, and Nginx authentication.
This guide explains what mining trojans are, how to identify their presence through CPU usage, suspicious processes, cron jobs and network activity, and provides step‑by‑step commands for isolating, blocking, and fully cleaning infected Linux hosts to prevent recurrence.
This article shares a step‑by‑step Linux incident‑response workflow, including an automated Bash information‑gathering script, analysis of malicious cron jobs and a 439‑line mining malware, its SSH‑based lateral spread, and practical cleanup procedures with a reusable toolbox on GitHub.
An infected Linux server shows high CPU usage but standard tools miss the culprit; this guide explains how mining malware hides its process via /proc tricks, demonstrates detection using network scans, unhide tools, and offers removal steps to eradicate the hidden miner.
This article walks through a real‑world Linux mining malware infection, detailing how the attacker hid a malicious cron job, used LD_PRELOAD rootkits, propagated via SSH keys, and how the analyst uncovered and removed the threat using busybox, strace, and careful forensic commands.
The Ngrok‑based Doki malware silently scans for Docker API endpoints with weak configurations, hijacks containers to run crypto miners, uses the Dogecoin blockchain for dynamic C2 domains, and evades detection, highlighting the critical need to secure Docker APIs.
This article walks through a real‑world Linux mining malware incident, detailing how the attacker used a malicious crontab entry and LD_PRELOAD to hide processes, the forensic steps to uncover the payload, and practical remediation and hardening measures to prevent future compromises.
Dr.Web’s recent report reveals Linux.BtcMine.174, a sophisticated 1000‑line shell‑script trojan that exploits Dirty COW or CVE‑2013‑2094 for root access, disables dozens of antivirus processes, mines cryptocurrency, and spreads via SSH‑collected hosts, with its components’ SHA‑1 hashes published on GitHub.
The 2018 second‑quarter report by the Ministry of Industry and Information Technology details the monitoring of approximately 18.4 million internet security threats, highlighting compromised user email accounts, attacks on industrial IoT platforms and devices, the rise of illegal cryptocurrency mining, and outlines the major mitigation actions taken, including vulnerability remediation, network protection for major events, and coordinated emergency drills.
The article examines a cryptocurrency mining trojan (sample 101), detailing its process list, malicious startup scripts, SSH key injection, service deployment, removal steps, and offers practical defense measures against such malware infections.
This guide explains how to identify a compromised Linux server caused by hidden cryptocurrency mining malware, kill the malicious processes, clean infected files, and harden the system by reviewing scheduled tasks, startup scripts, user accounts, and SSH configurations.
