This topic uses common mining programs to describe the characteristics of mining programs and describe how Security Center generates alerts on mining programs, and blocks, traces, and analyzes mining programs.

Background information

Mining programs consume a large number of CPU resources, overclock the CPU, and adversely affect other applications running on the server. Mining programs also carry the characteristics of computer worms. After a mining program intrudes into a server, the mining program continues to intrude into other servers connected to the same internal network as that of the victim server, and permanently exploits the intrusion.

Mining programs can spread to multiple system services and therefore are difficult to be removed from the system. Mining programs may appear repeatedly and system commands may be replaced with malicious scripts. In this case, the system may accidentally run malicious scripts, such as XOR DDoS. Therefore, you must remove all trojans and persistent webshells from your server within the execution period of a mining program.

For more information about how to determine whether an asset contains mining programs, see How do I know whether my assets contain mining programs.

Use Security Center to manage mining programs

Note Make sure that you use one of the following editions of Security Center: Basic Anti-virus, Advanced, and Enterprise. Only these editions support managing mining programs. Security Center Basic Edition supports mining program detection and alerting only. You cannot use this edition to handle alerts. To handle alerts, purchase Security Center Basic Anti-virus, Advanced, or Enterprise Edition. For more information, see Purchase Security Center.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. In the alert list, find the specific mining program in the Event column, and then click Processing in the Actions column.
    If a mining program is detected, Security Center generates a mining program alert. Manage mining programs
  4. To remove a mining program, select Virus removal and Isolate the source file of the process, and then click Process Now. This prevents the mining program from running again.
    Virus detection
  5. For other alerts related to the mining program, for example, mining pool communications, select Block.
    Security Center generates policies to prevent servers from visiting mining pools. This ensures that you have sufficient time to manage security events.
  6. Check alerts on unusual process behavior, and determine whether unusual crontab jobs exist.
    Crontab jobs
  7. Enable virus blocking.
    If you fail to remove all mining programs from your server, the virus blocking feature blocks mining programs and prevents them from running. For more information about how to enable virus blocking, see The anti-virus feature. Enable virus blocking to block mining programs

    You can also use Security Center to trace intrusion events and analyze how mining programs intrude into your server.

    Trace attacks

Use other approaches to manage mining programs

To maximize exploits, mining programs may insert a large number of webshells into the victim server. In this case, viruses may be difficult to be removed.

Assume that you have not purchased Security Center. To detect and manage mining programs, perform the following steps. The following example is based on the Linux operating system.

  1. Query the file path of the mining program.
    ls -l /proc/xxx/exe           // xxx specifies the process ID of the mining program.
  2. Remove the file of the mining program.
  3. Among the processes that consume most of the CPU resources, find and terminate the mining program.
  4. Check whether the firewall of your server contains the address of the mining pool to which the mining program belongs.
    1. Run the following command to check unusual communication addresses and open ports that are not required by normal workloads.
       iptables -L -n
      Query IP addresses and ports that are trusted by the firewall
    2. Run the following command to remove the address of the mining pool.
       vi /etc/sysconfig/iptables
  5. Run the following command to check whether crontab jobs exist.
    crontab -l
    Scan for crontab jobs

    You can handle suspicious crontab job files based on the check results to prevent repeated intrusions.

  6. Run the following command to check whether the SSH public key contains mining viruses. This eliminates persistent webshells.
    cat .ssh/authorized_keys
    Check SSH authorization
  7. Check whether mining programs exist on other servers. This eliminates the risk of infecting other servers deployed in the same internal network.