All Products
Search
Document Center

Elastic Compute Service:Mining virus response and protection

Last Updated:Jun 24, 2026

In a cloud environment, mining viruses maliciously consume resources such as CPU, causing instances to lag, respond slowly, or even become unreachable via remote connections. This can lead to business disruptions, data leaks, and the spread of risks. You can quickly contain the damage and prevent reinfection by using Security Center or by implementing manual response and protection strategies, such as resetting passwords or keys and blocking IP addresses.

Mining virus alerts

For instances with free security hardening enabled, Security Center sends an alert via SMS or email when a mining program is detected. Go to the Security Alerts page to check for any mining program alerts.

挖矿告警

Note

A mining program maintains sustained high CPU usage. Therefore, an instance that is lagging, responding slowly, or is unreachable via remote connection is often the first sign of an infection. If you notice abnormally high CPU load while troubleshooting remote connection issues, refer to this topic for investigation and remediation.

Important

If your server is shut down for the first time due to a mining virus, you can go to the Security Control Events page to unlock it yourself.

After you unlock the server, you must promptly purge the mining program. If mining activity is detected again, the server will be shut down and locked, and you will not be able to unlock it yourself.

Respond to and remove mining viruses

Isolate the infected server

You can isolate an infected ECS instance by modifying its security group rules to restrict public network and SSH access.

  1. Log on to the ECS console and go to the Security Groups page.

  2. Find the security group to which the target ECS instance belongs and click the security group ID to go to its management page.

  3. On the security group rules page, find all inbound rules that allow public access, such as those for RDP and SSH ports. Change the source for these rules to allow access only from specific, trusted IP addresses.

    Note

    Modifying a security group rule affects all ECS instances bound to that security group. Ensure your changes do not unintentionally affect other instances.

Purge the malicious program

Mining programs are often difficult to remove completely. We recommend that you back up your important data and then reinitialize the cloud disk to ensure the program is fully purged.

Security Center

Prerequisites

Step 1: immediate containment

Use the Security Alerts feature in Security Center to quickly stop the mining program by terminating malicious processes and quarantining virus files.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Threat Analysis and Response > Security Alerts. In the upper-left corner of the console, select your asset's region.

  3. In the Actions column of the mining alert, click Details to view the alert details.

    Use the basic information, event description, and the on the Security Center console to locate the mining program and check for other alerts or suspicious files. You need to determine whether the file that triggered the mining alert is a legitimate business file or a malicious file. If the mining program is associated with other alert events, such as mining pool communication or access to malicious domain names, we recommend handling them together.

  4. Click Process Alert. In the dialog box that appears, select Virus Detection and Removal and click Handle.

    To handle multiple alerts of the same type or triggered by the same rule, select Process similar alerts at the same time.

  5. In the security alerts list, perform the Block operation on other derivative alerts that are generated by the cryptomining event, such as those for mining pool communication behavior.

    Security Center generates policies to block the server from accessing the mining pool. This gives you sufficient time to handle the security event. You can also manually add the mining pool IP addresses to a security group to block access. For information about how to add a security group rule, see Add a security group rule.

  6. In the security alerts list, check for process behavior anomaly alerts to find and handle any abnormal scheduled tasks.

Step 2: Deep scan

Use the Virus Detection and Removal feature in Security Center to scan your assets. This feature can scan for and clean up malware persistence mechanisms, such as auto-start items and scheduled tasks.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Detection and Removal. In the upper-left corner of the console, select your asset's region.

  3. On the Virus Detection and Removal page, click Scan Now or Rescan. In the Scan Settings panel, set the scan mode and scan scope, then click OK.

    Set Scan Mode to Quick Scan and, for the Scan Scope, select the server attacked by the mining program.

  4. After the scan is complete, on the Virus Detection and Removal page, in the Actions column for the target alert, click Process.

  5. In the Process Alert panel, select Deep Scan and click Next.

    After the system processes the alert, you can view the results and status.

    image

Security detection

Use the agentless detection feature of Security Center to perform a comprehensive security scan of the system and data disks of your ECS instances. This feature supports only detection and does not provide remediation. You must handle the detected risk items manually based on the instructions on the risk details page. Agentless detection is a pay-as-you-go feature. For more information, see Agentless detection.

Agentless detection

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Agentless Detection. In the upper-left corner of the console, select your asset's region.

  3. On the Agentless Detection page, in the Host Security Check panel, click Detect Now.

  4. In the Detect Now panel, configure the settings as described in the following table and click OK.

    • Scan Scope: We recommend scanning the data disk for broader vulnerability and alert detection coverage.

    • Image Retention Duration:

      • The value can range from 1 to 365 days.

      • You are charged for creating images. The longer you retain the images, the higher the fees.

        Important

        If you select Retain Only At-risk Image, the system automatically deletes threat-free images after the scan is complete.

  5. After the detection task is complete, view the results for vulnerabilities, baseline checks, security alerts, and sensitive files.

    Promptly handle the risks according to the instructions on the risk details page.

    image

Manual cleanup

Before you perform any cleanup operations, create a snapshot of the server to prevent data loss from operational errors.

Linux

  1. Block malicious network communication.

    After you discover mining activity on the host, the first step is to block the trojan's network communication to immediately control its impact, as a full incident response can be time-consuming.

    1. Run the following command to view the current system network connection status.

      netstat -antp

      image

    2. In the following commands, replace c2_address with the suspicious remote address (Foreign Address) that is not used by your normal business operations. Then, run the commands to add firewall rules that block all network connections between the server and the suspicious address.

      iptables -A INPUT -s c2_address -j DROP
      iptables -A OUTPUT -d c2_address -j DROP
  2. Delete the mining program and its related files

    Mining programs are often difficult to remove completely. Back up your important data and then reinitialize the cloud disk to ensure the program is fully purged.

    • Purge scheduled tasks

      Mining trojans often use scheduled tasks to periodically download (update) and run themselves. Simply removing the mining process and trojan files will not eradicate the program and may lead to recurring infections.

      Investigate the following scheduled task files and delete any tasks related to downloading and running the mining trojan.

      1. View the scheduled tasks for the current user or a specified user (username).

        crontab -l
        crontab -u username -l
      2. Check all scheduled task files on the host.

        /etc/crontab
        /var/spool/cron/
        /etc/anacrontab
        /etc/cron.d/
        /etc/cron.hourly/
        /etc/cron.daily/
        /etc/cron.weekly/
        /etc/cron.monthly/
    • Purge auto-start service entries

      1. Run the following command to check all auto-start services on the system.

        systemctl list-unit-files | grep enabled
      2. Find the unit file of the suspicious service and check its details.

        Replace * with the service name and <service_unit_name> with the service unit file name.

        ls -al /etc/systemd/system/*.service
        ls -al /usr/lib/systemd/system/*.service
        
        # View service details (the process file started by the service)
        cat /etc/systemd/system/<service_unit_name>.service
      3. If you find a malicious auto-start service, use the following commands to disable the service and delete its unit file.

        Replace <service_name> with the service name and <service_unit_name> with the service unit file name.

        systemctl disable <service_name>
        rm /etc/systemd/system/<service_unit_name>.service
        rm /usr/lib/systemd/system/<service_unit_name>.service
      4. Check the following service paths for auto-start services and clean them up by using the steps above.

        /etc/rc.local
        /etc/inittab
        /etc/rc.d/
        /etc/init.d/
    • Purge SSH public keys

      Mining trojans often add an attacker's SSH public key to the ~/.ssh/authorized_keys file. This allows the attacker to log in to the victim's host without a password and re-implant malicious files. You need to check the ~/.ssh/authorized_keys file and immediately delete any suspicious public keys.

    • Purge .so hijacking

      By setting preloaded .so files in the /etc/ld.so.preload file, attackers can hijack common system commands like top/ps/netstat to hide the mining process.

      1. Run the following command to check for preloaded .so files.

        cat /etc/ld.so.preload
      2. Run the following command to remove the preload hijacking.

        echo > /etc/ld.so.preload
    • Purge malicious accounts

      Some mining trojan families create a new backdoor account to maintain long-term control of the victim's host. Run the following commands to check for malicious accounts, then manually delete the relevant account information.

      1. Check logs for recent account creation activity.

        cat /var/log/audit/audit.log | grep useradd
        # Or
        cat /var/log/secure | grep 'new user'
      2. Check the /etc/passwd file for suspicious accounts.

        cut -d: -f1 /etc/passwd
      3. Check the creation or last active time of a suspicious account by examining its home directory. Pay special attention to recently created home directories.

        stat /home/guest/
    • Purge the mining trojan process

      Mining processes typically consume high CPU resources. You can use the following commands to investigate suspicious mining processes.

      1. Find processes that are consuming high CPU.

        top -c

        image

        ps -eo pid,ppid,cmd,%cpu --sort=-%cpu | more

        image

      2. Check for abnormal network connection behavior.

        netstat -antp

        image

      3. Get the file path of the suspicious process.

        ls -al /proc/$PID/exe
      4. Calculate the MD5 hash of the process file and query the file information on the Alibaba Cloud Threat Intelligence platform.

        md5sum /proc/$PID/exe

        image

      5. Run the following commands to terminate the mining process and delete the mining file.

        kill -9 $PID
        # Delete the process path obtained from ls -al /proc/$PID/exe
        rm /path/to/executable

Windows

  1. In PowerShell, run the following commands to identify suspicious mining processes based on CPU usage.

     ps | sort -des cpu
     While(1) {ps | sort -des cpu | select -f 15 | ft -a; sleep 1; cls}
  2. Run the following command to view the file path of the mining process and the parameters in its startup command.

    wmic process where processid=xxx get processid,executablepath,commandline,name     // xxx indicates the process PID
  3. End the mining process and delete the mining files.

  4. Run the following command to check for suspicious network ports on the host.

    netstat -ano | findstr xxx            // xxx indicates the suspicious network port
  5. Run the following command to check if the hosts file contains mining pool addresses used by the mining program.

    type  C:\Windows\System32\drivers\etc\hosts
  6. Run the following command to check for scheduled tasks configured by the mining program.

    schtasks /query

Recommendations

After cleanup, follow these recommendations to prevent reinfection:

  • Reset passwords and keys: The instance's passwords or keys may have been compromised. Change all user passwords and SSH keys promptly to prevent reinfection. If you use a password as a logon credential, avoid using a weak password.

  • Fix vulnerabilities: Patch known vulnerabilities and regularly apply security updates to the operating system and applications such as Redis and Jenkins.

  • Back up data: Regularly create snapshots of important data and system configurations to enable quick restoration after an incident. 

Related documents

Best practices for defending against mining programs: The IPS module of Cloud Firewall uses vulnerability intelligence and virtual patching to track and defend against network exploits from most mining worms, blocking virus propagation.

FAQ

How to fix the "Operation not permitted" error?

After writing persistence files such as scheduled tasks and auto-start items, some mining viruses set an immutable (immutable) attribute on these files to prevent them from being deleted.

image

As shown in the figure above, run the chattr -i [filename] command to remove the attribute, and then delete the file.

Why does the mining program reappear?

This usually happens because only the main virus program was deleted, while its persistence mechanisms (such as a scheduled task or auto-start service) were not removed. The virus uses these backdoors to re-download and run itself, causing it to reappear. Be sure to follow the steps in Purge the malicious program to thoroughly investigate all persistence methods.