How We Caught and Killed a Cryptominer on a Production Server
“The server’s running hot and everything’s slow.” When CPU is pinned at 100% day and night with no legitimate explanation, cryptojacking is high on the suspect list. Here’s how we confirmed it and cleaned up.
The symptom: someone else’s profit, your electricity
Cryptojacking malware hijacks your server’s CPU to mine cryptocurrency for an attacker. It’s noisy by nature — mining needs compute — which is exactly what makes it detectable.
Tracking down the process
The miner was eating all the CPU, so finding it started simply, but miners often hide behind innocuous names and restart themselves:
# Top CPU consumers
top -c
# What is that PID actually running, and from where?
ls -l /proc/<pid>/exe
cat /proc/<pid>/cmdline | tr '�' ' '
# Check for persistence
crontab -l; ls -la /etc/cron.*; systemctl list-timersThe binary lived in a temp directory, was relaunched by a malicious cron entry, and connected out to a mining pool. Killing the process alone would have been useless — it would just respawn.
Full cleanup
- Removed the malicious cron jobs and systemd units providing persistence
- Killed the miner and deleted its binaries
- Blocked outbound traffic to the mining pool and reviewed all egress
- Found and patched the vulnerable, internet-exposed service that allowed initial access
- Audited users and keys for anything the attacker left behind
The lesson
Cryptominers are often the “polite” outcome of a compromise — the same hole could just as easily have been used to steal data or deploy ransomware. Treat a miner as proof that something needs patching, and always hunt for the entry point.
Need this handled for you?
Server Wizards looks after Linux infrastructure so you don’t have to — proactively, and around the clock.
Need a hand with your servers?
We manage, secure and monitor Linux infrastructure so you don't have to.