Linux · Recovery Guide

How to Spot a Cryptominer or High-CPU Malware on Linux

Unmask hidden threats: learn to identify the tell-tale signs of unusual CPU activity and maintain your Linux system's performance and security.

Recognising the Symptoms of a Compromised System

A cryptominer or high-CPU malware often leaves discernible traces that can impact your system's performance and stability. Being aware of these symptoms is the first step in identifying a potential infection.

• Unexpectedly high CPU usage, even when the computer is idle or performing light tasks.
• Your computer's fan running loudly and continuously, indicating increased heat generation.
• A general sluggishness or unresponsiveness of the system, making common tasks frustratingly slow.
• Your battery draining much faster than usual on laptops or portable devices.
• Unexplained network activity or increased data usage, especially if you have a limited data plan.

Investigating with System Monitoring Tools

Linux offers several powerful command-line tools to monitor system resources. These tools can help you pinpoint processes consuming excessive CPU and identify potential rogue applications.

1. Open your terminal and type top. This command provides a dynamic real-time view of running processes. Look for processes consuming a high percentage under the 'CPU%' column.
2. Alternatively, use htop for a more interactive and visually appealing process viewer. You might need to install it first with sudo apt install htop.
3. To see which processes are using the most CPU, you can sort the output in top by pressing P (for CPU usage). In htop, you can click on the 'CPU%' column header.
4. Pay close attention to unfamiliar process names or legitimate-looking processes (like 'systemd') that are consuming an unusually high amount of CPU.

Checking Process Details and Locations

Once you've identified a suspicious process, it's crucial to gather more information about it, including its full command and file path, to confirm if it's legitimate or malicious.

1. With the PID of the suspicious process, use ps aux | grep <PID> to display detailed information, including the full command that launched it.
2. Examine the output for the full path of the executable. Malware often runs from obscure or temporary directories, such as /tmp or hidden folders within your home directory.
3. Check the user associated with the process. If a system-level process is running under a regular user's account, it could be suspicious.
4. Look for unusual arguments or flags in the command line that might suggest a hidden or malicious intent.

Verifying Network Connections and Open Ports

Cryptominers and other malware often establish network connections to communicate with command-and-control servers or to transfer mined cryptocurrency. Checking network activity can provide further evidence.

• Use netstat -tulnp to list all active network connections and listening ports, along with the process IDs and program names.
• Look for unfamiliar outbound connections to unusual IP addresses or ports.
• Cross-reference the process IDs from the network connections with the suspicious processes you identified earlier.
• You can use lsof -i to get a similar list of internet and network files opened by processes.
• Pay attention to connections to known cryptocurrency pools or regions you don't typically connect to.