This topic uses common mining programs to introduce the characteristics of mining programs and describe how Security Center generates alerts upon mining programs, blocks mining programs, and traces and analyzes mining programs.

Background information

Mining programs consume a large amount of CPU resources, overclock the CPU, and adversely affect other applications running on the server. Mining programs also carry the characteristics of computer worms. After a mining program intrudes into a server, the mining program continues to intrude into other servers connected to the same private network as the victim server, and permanently exploits the intrusion.

Mining programs typically spread to multiple system services and therefore are difficult to be removed from the system. Mining programs may appear repeatedly and system commands may be replaced with malicious scripts. In this case, the system may accidentally run malicious scripts, such as Xor DDoS. Therefore, you must remove all Trojans and persistent webshells from your server within the execution period of the mining program.

Use Security Center to manage mining programs

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. In the alert list, find the target Mining Software in the Event column, and then click Processing in the Actions column.
    If a mining program is detected, Security Center generates a Mining Software alert.
  4. To remove a mining program, select Virus removal and Isolate the source file of the process, and then click Process Now. This prevents the mining program from running again.
  5. For other alerts related to the mining program, for example, mining pool communications, select Block.
    Security Center generates policies to prevent servers from visiting mining pools, leaving you sufficient time to manage security events.
  6. Check alerts generated upon unusual process behaviors, and determine whether unusual crontab tasks exist.
  7. Enable virus detection.
    If you fail to remove all mining programs from your server, the virus detection feature blocks mining programs, preventing them from running. For more information about how to enable virus detection, see The anti-virus feature.

    You can also use Security Center to trace intrusion events and analyze how mining programs intrude into your server.

Use other approaches to manage mining programs

To maximize exploits, mining programs typically insert a large number of webshells into the victim server. In this case, viruses may be difficult to be removed.

If your server intruded by mining programs is not protected by Security Center, take the following steps to troubleshoot and manage mining programs.

  1. Query the file path of the mining program.
    ls -l /proc/xxx/exe           // xxx represents the PID of the mining program.
  2. Remove the file of the mining program.
  3. Among the processes consuming most of the CPU resources, find and terminate the mining process.
  4. Check whether the firewall of your server contains the address of the mining pool to which the mining program belongs.
    1. Run the following command to check for unusual communication addresses and open ports that are not required by normal workloads.
       iptables -L -n
      Query IP addresses and ports trusted by the firewall
    2. Run the following command to remove the address of the mining pool.
       vi /etc/sysconfig/iptables
  5. Run the following command to scan for and manage crontab tasks, which can cause repeated intrusions.
    crontab -l
    Scan for crontab tasks
  6. Run the following command to check whether the SSH public key contains mining viruses. This eliminates persistent webshells.
    cat .ssh/authorized_keys
    Check SSH authorization
  7. Check whether mining activities exist on other servers to eliminate the risk of infecting other servers deployed in the same private network.