How Malware Hides Its Mining Process on Linux and How to Uncover It

CPU Soars

A friend reported that his server's CPU was constantly at high utilization, yet commands like top and ps could not reveal the offending process, leading him to suspect a mining virus.

Checking the server's network connections uncovered suspicious activity. A Shodan lookup of the offending IP showed several open ports, including

4444

,

5555

, and

7777

. The connection on port 7777 returned the string "mining pool!", confirming an active miner.

How Processes Hide

On Linux, process‑listing tools such as ps and top enumerate the

/proc

filesystem. Because Linux follows the "everything is a file" philosophy, each running process appears as a numeric directory under

/proc

, and the tools simply read those entries.

To hide a process, attackers can employ several techniques:

Command Replacement

Replace the binaries of

ps

,

top

, etc., with modified versions that filter out the malicious PID.

Module Injection

Compile a shared object (

.so

) that hooks functions like

readdir

/

readdir64

to skip the hidden PID, then load it via

LD_PRELOAD

or

/etc/ld.so.preload

.

Kernel‑Level Hiding

Load a kernel module that intercepts the relevant system calls in kernel space, providing a more robust concealment at the cost of higher technical complexity.

Catching the Mining Process

Standard tools cannot see the hidden process, but the unhide utility can enumerate

/proc/pid

entries, skip its own PID and any PID visible to

ps

, and flag the rest as hidden.

Iterate over /proc/pid/ from 1 to max_pid : If the directory does not exist, skip. If it is the unhide process itself, skip. If the PID appears in ps output, skip. Otherwise, treat it as a hidden process.

A Python script based on this logic successfully listed the hidden miner's threads. Examining

/proc/pid/fd

revealed an open socket whose inode (10212) corresponded to a TCP entry with destination port 7777, confirming the mining connection.

<code>cat /proc/net/tcp | grep 10212</code>

Further inspection of

/proc/pid/environ

identified the executable, and a quick web search showed the binary is a known mining trojan.

Mining Malware Analysis

Static analysis of the downloaded malware showed it is packed. After unpacking, the binary modifies

/root/.ssh/authorized_keys

to add an RSA key, creating a persistent backdoor.

The malware also contacts a large list of domains, indicating a command‑and‑control infrastructure.

Removal Recommendations

Enable SELinux. Terminate the mining process. Delete the malicious binaries (verify that rm has not been hijacked). Remove any malicious kernel modules. Erase added SSH credentials. Block the attacker’s IPs and ports with a firewall.

These steps help eradicate the hidden miner and prevent future reinfection.