This topic describes the features that are provided by Security Center to handle mining programs. The features include security alerting, virus detection, virus blocking, attack tracing, and attack analysis.

Prerequisites

The Security Center agent is installed and runs as expected on your server. For more information, see Install the Security Center agent and Troubleshoot why the Security Center agent is offline.

Limits

You can handle mining programs that are detected on your server only if you use the Anti-virus, Advanced, Enterprise, or Ultimate edition of Security Center. Security Center Basic supports only threat detection and security alerting. You cannot use Security Center Basic to handle alerts. If you use Security Center Basic, you must purchase the Anti-virus, Advanced, or Enterprise edition before you can handle alerts. For more information, see Purchase Security Center.
Note Security Center provides a 7-day free trial of the Ultimate edition for users of the Basic edition. If you use the Basic edition, you can apply for a free trial of the Ultimate edition. After the application is approved, you can use the Ultimate edition to handle mining programs. For more information about how to apply for a free trial of the Ultimate edition, see Apply for a free trial of Security Center Ultimate.

Characteristics of mining programs

  • Mining programs can overclock the CPU, which consumes a large number of CPU resources and affects other applications that run on your server.
  • The characteristics of mining programs are similar to the characteristics of computer worms. After a mining program intrudes into your server, the mining program spreads to the servers that are deployed in the same internal network. After the servers are compromised, the mining program achieves persistence on the servers.
  • In most cases, mining programs spread to multiple system services and are difficult to remove from the system. Mining programs may repeatedly appear, and system commands may be replaced with malicious scripts. As a result, the system may run malicious scripts such as Xor DDoS. You must remove all trojans and persistent webshells from your server within the execution period of mining programs. This way, mining programs are prevented from appearing in the future.

Determine whether your assets contain mining programs

If the CPU utilization of your server significantly increases, for example, to 80% or higher, and an unknown process continues to transmit packets, a mining program is running on your server. For more information, see How can I determine whether my assets contain mining programs?.

Use Security Center to handle mining programs

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. In the alert list, find an alert that is generated for a mining program in the Event column, and click Process in the Actions column.
    If a mining program is detected, Security Center generates an alert.
  4. In the dialog box that appears, perform the following operations to remove the mining program: Select Virus removal and Isolate the source file of the process, and click Handle Now. This prevents the mining program from running again.
  5. To handle an alert that is related to mining, find the alert, click Process in the Actions column, and then select Block in the dialog box that appears. For example, the alert is generated for mining pool communications.
    Security Center generates policies to prevent servers from communicating with the IP addresses of mining pools. This way, you have sufficient time to handle security events.
  6. View the alerts that are generated for suspicious processes, and check whether unusual scheduled tasks exist.
    Scheduled tasks
  7. Enable the virus blocking feature.
    If you fail to remove mining programs that are retained on your server and the mining programs repeatedly appear on your server, you can enable the virus blocking feature of Security Center to block mining programs and prevent these mining programs from running. For more information about how to enable the virus blocking feature, see Use proactive defense. Enable the virus blocking feature to block mining programs
    • You can use the antivirus feature of Security Center to scan for and remove malicious files that exist in your server. For more information, see Scan for viruses.
    • You can also use the feature of attack source tracing that is provided by Security Center to trace the intrusion process and analyze how mining programs intrude into your server. Attack source tracing

Use other methods to handle mining programs

Mining programs can insert a large number of persistent webshells into a victim server to obtain the most profits. In this case, viruses are difficult to remove or cannot be removed.

If you have not purchased Security Center, you can perform the following steps to detect and handle mining programs. The following example shows how to handle mining programs that exist on a Linux server.

  1. Query the file path of the mining program.
    ls -l /proc/xxx/exe           // xxx indicates the process ID (PID) of the mining program. 
  2. Remove the file that is used to run the mining program.
  3. Identify the mining program among the processes that cause high CPU consumption and terminate the program.
  4. Check whether the firewall of your server contains the address of the mining pool to which the mining program belongs.
    1. Run the following command to detect unusual communication addresses and open ports that are not required for normal workloads.
       iptables -L -n
      View the IP addresses and ports that are allowed by the firewall
    2. Run the following command to delete the address of the mining pool.
       vi /etc/sysconfig/iptables
  5. Run the following command to check whether scheduled tasks exist.
    crontab -l
    Scan for scheduled tasks

    You can handle suspicious scheduled task files based on the check results. This prevents repeated intrusions.

  6. Run the following command to check whether the SSH public key contains mining viruses. This prevents persistent webshells.
    cat .ssh/authorized_keys
    Check SSH authentication
  7. Check whether mining programs exist on other servers that are deployed on the same internal network. This way, you can protect the servers from mining programs at the earliest opportunity.