In a cloud environment, mining viruses maliciously consume resources such as CPU, causing instances to lag, respond slowly, or even become unreachable via remote connections. This can lead to business disruptions, data leaks, and the spread of risks. You can quickly contain the damage and prevent reinfection by using Security Center or by implementing manual response and protection strategies, such as resetting passwords or keys and blocking IP addresses.
Mining virus alerts
For instances with free security hardening enabled, Security Center sends an alert via SMS or email when a mining program is detected. Go to the Security Alerts page to check for any mining program alerts.

A mining program maintains sustained high CPU usage. Therefore, an instance that is lagging, responding slowly, or is unreachable via remote connection is often the first sign of an infection. If you notice abnormally high CPU load while troubleshooting remote connection issues, refer to this topic for investigation and remediation.
If your server is shut down for the first time due to a mining virus, you can go to the Security Control Events page to unlock it yourself.
After you unlock the server, you must promptly purge the mining program. If mining activity is detected again, the server will be shut down and locked, and you will not be able to unlock it yourself.
Respond to and remove mining viruses
Isolate the infected server
You can isolate an infected ECS instance by modifying its security group rules to restrict public network and SSH access.
-
Log on to the ECS console and go to the Security Groups page.
-
Find the security group to which the target ECS instance belongs and click the security group ID to go to its management page.
-
On the security group rules page, find all inbound rules that allow public access, such as those for RDP and SSH ports. Change the source for these rules to allow access only from specific, trusted IP addresses.
NoteModifying a security group rule affects all ECS instances bound to that security group. Ensure your changes do not unintentionally affect other instances.
Purge the malicious program
Mining programs are often difficult to remove completely. We recommend that you back up your important data and then reinitialize the cloud disk to ensure the program is fully purged.
Security Center
Prerequisites
-
To handle mining virus threats by using Security Center, you must purchase Security Center Anti-virus, Advanced, Enterprise, or Ultimate edition. You can also activate a 7-day free trial of the Enterprise edition to obtain the required security capabilities.
-
Ensure the Security Center agent on the infected server is online. For more information, see Install the agent and Troubleshoot an offline agent.
Step 1: immediate containment
Use the Security Alerts feature in Security Center to quickly stop the mining program by terminating malicious processes and quarantining virus files.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select your asset's region.
-
In the Actions column of the mining alert, click Details to view the alert details.
Use the basic information, event description, and the on the Security Center console to locate the mining program and check for other alerts or suspicious files. You need to determine whether the file that triggered the mining alert is a legitimate business file or a malicious file. If the mining program is associated with other alert events, such as mining pool communication or access to malicious domain names, we recommend handling them together.
-
Click Process Alert. In the dialog box that appears, select Virus Detection and Removal and click Handle.
To handle multiple alerts of the same type or triggered by the same rule, select Process similar alerts at the same time.
-
In the security alerts list, perform the Block operation on other derivative alerts that are generated by the cryptomining event, such as those for mining pool communication behavior.
Security Center generates policies to block the server from accessing the mining pool. This gives you sufficient time to handle the security event. You can also manually add the mining pool IP addresses to a security group to block access. For information about how to add a security group rule, see Add a security group rule.
-
In the security alerts list, check for process behavior anomaly alerts to find and handle any abnormal scheduled tasks.
Step 2: Deep scan
Use the Virus Detection and Removal feature in Security Center to scan your assets. This feature can scan for and clean up malware persistence mechanisms, such as auto-start items and scheduled tasks.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select your asset's region.
-
On the Virus Detection and Removal page, click Scan Now or Rescan. In the Scan Settings panel, set the scan mode and scan scope, then click OK.
Set Scan Mode to Quick Scan and, for the Scan Scope, select the server attacked by the mining program.
-
After the scan is complete, on the Virus Detection and Removal page, in the Actions column for the target alert, click Process.
-
In the Process Alert panel, select Deep Scan and click Next.
After the system processes the alert, you can view the results and status.

Security detection
Use the agentless detection feature of Security Center to perform a comprehensive security scan of the system and data disks of your ECS instances. This feature supports only detection and does not provide remediation. You must handle the detected risk items manually based on the instructions on the risk details page. Agentless detection is a pay-as-you-go feature. For more information, see Agentless detection.
Manual cleanup
Before you perform any cleanup operations, create a snapshot of the server to prevent data loss from operational errors.
Linux
-
Block malicious network communication.
After you discover mining activity on the host, the first step is to block the trojan's network communication to immediately control its impact, as a full incident response can be time-consuming.
-
Run the following command to view the current system network connection status.
netstat -antp
-
In the following commands, replace
c2_addresswith the suspicious remote address (Foreign Address) that is not used by your normal business operations. Then, run the commands to add firewall rules that block all network connections between the server and the suspicious address.iptables -A INPUT -s c2_address -j DROP iptables -A OUTPUT -d c2_address -j DROP
-
-
Delete the mining program and its related files
Mining programs are often difficult to remove completely. Back up your important data and then reinitialize the cloud disk to ensure the program is fully purged.
-
Windows
-
In PowerShell, run the following commands to identify suspicious mining processes based on CPU usage.
ps | sort -des cpu While(1) {ps | sort -des cpu | select -f 15 | ft -a; sleep 1; cls} -
Run the following command to view the file path of the mining process and the parameters in its startup command.
wmic process where processid=xxx get processid,executablepath,commandline,name // xxx indicates the process PID -
End the mining process and delete the mining files.
-
Run the following command to check for suspicious network ports on the host.
netstat -ano | findstr xxx // xxx indicates the suspicious network port -
Run the following command to check if the hosts file contains mining pool addresses used by the mining program.
type C:\Windows\System32\drivers\etc\hosts -
Run the following command to check for scheduled tasks configured by the mining program.
schtasks /query
Recommendations
After cleanup, follow these recommendations to prevent reinfection:
-
Reset passwords and keys: The instance's passwords or keys may have been compromised. Change all user passwords and SSH keys promptly to prevent reinfection. If you use a password as a logon credential, avoid using a weak password.
-
Fix vulnerabilities: Patch known vulnerabilities and regularly apply security updates to the operating system and applications such as Redis and Jenkins.
-
Back up data: Regularly create snapshots of important data and system configurations to enable quick restoration after an incident.
Related documents
Best practices for defending against mining programs: The IPS module of Cloud Firewall uses vulnerability intelligence and virtual patching to track and defend against network exploits from most mining worms, blocking virus propagation.
FAQ
How to fix the "Operation not permitted" error?
After writing persistence files such as scheduled tasks and auto-start items, some mining viruses set an immutable (immutable) attribute on these files to prevent them from being deleted.

As shown in the figure above, run the chattr -i [filename] command to remove the attribute, and then delete the file.
Why does the mining program reappear?
This usually happens because only the main virus program was deleted, while its persistence mechanisms (such as a scheduled task or auto-start service) were not removed. The virus uses these backdoors to re-download and run itself, causing it to reappear. Be sure to follow the steps in Purge the malicious program to thoroughly investigate all persistence methods.




