Cryptojacking is the unauthorized use of your server's CPU to mine cryptocurrency. Attackers exploit vulnerabilities or weak credentials to install mining software, which runs silently in the background consuming your resources and increasing your costs.
Signs of Cryptojacking
# High sustained CPU usage
top
# Look for unknown processes using 90-100% CPU
# Common miner process names: xmrig, minerd, kworker (fake), [kthreadd] (fake)
# Check CPU usage over time
sar -u 1 10
# If CPU is consistently above 80% with no known workload, investigate
# Unusual process names
ps aux | grep -iE "xmrig|minerd|crypto|stratum|pool"
# Network connections to mining pools
ss -tnp | grep -iE "3333|4444|5555|8888|14444"
# Mining pools typically use these portsDetection Methods
# 1. Check for known mining processes
ps aux | awk '$3>80{print $0}' # Processes using >80% CPU
# 2. Check crontabs for persistence
crontab -l
sudo ls -la /etc/cron.d/
sudo cat /etc/crontab
for user in $(cut -f1 -d: /etc/passwd); do
echo "=== $user ==="; crontab -u $user -l 2>/dev/null
done
# 3. Check for modified system files
rpm -Va 2>/dev/null # RHEL-based
debsums -c 2>/dev/null # Debian-based
# 4. Check for unusual network connections
ss -tnp | awk '{print $5}' | sort | uniq -c | sort -rn | head -20
# 5. Check systemd for rogue services
systemctl list-units --type=service --state=running | grep -v "systemd\|network\|ssh\|cron\|rsyslog"
# 6. Look in common hiding spots
ls -la /tmp/ /var/tmp/ /dev/shm/
find /tmp /var/tmp /dev/shm -type f -executable 2>/dev/nullPrevention
# 1. Keep software updated
sudo apt update && sudo apt upgrade -y
# 2. Disable password SSH authentication
# PasswordAuthentication no in /etc/ssh/sshd_config
# 3. Use a firewall — block outbound to mining pools
sudo iptables -A OUTPUT -p tcp --dport 3333 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 4444 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 5555 -j DROP
# 4. Monitor CPU usage with alerts
# Set up a cron job to alert on sustained high CPU
# 5. Use fail2ban for brute-force protection
sudo apt install fail2ban
sudo systemctl enable --now fail2ban
# 6. Restrict outbound DNS to known resolvers
# Prevents miners from resolving pool domainsRemoval
# 1. Kill the mining process
kill -9 $(pgrep -f xmrig)
kill -9 $(pgrep -f minerd)
# 2. Remove persistence mechanisms
# Check and clean: crontabs, systemd services, /etc/rc.local
# Check: ~/.bashrc, ~/.profile for startup commands
# 3. Remove the malware files
find / -name "xmrig*" -o -name "minerd*" -delete 2>/dev/null
# 4. Change all passwords and SSH keys
passwd root
# Regenerate SSH host keys
sudo rm /etc/ssh/ssh_host_*
sudo dpkg-reconfigure openssh-server
# 5. Investigate the entry point and patch it
# 6. Consider rebuilding from a clean image
# If you cannot determine the full extent of compromise,
# a clean rebuild is the safest option