Mining programs are a type of program that invade the computing resources of the host and conduct virtual currency mining. The host often sees high CPU usage and other related malicious programs. Meanwhile, it kills some other services, such as Nginx.

Find the high CPU usage processes

top

observes an abnormal process, "kswapd0" (not the default 'kswapd0' process). Make a note of the PID.

Find the physical file path of the process

ls -l /proc/<PID>/exe

Kill the process

kill <PID>

Verify if the process is killed

top

pgrep -x <process_name>
# pgrep -x kswapd0

If the process is automatically restarted immediately, temporarily turn off swap, and then turn it on after fixing the problem.

# turn off
swapoff -a

# turn on
swapon -a

Remove the physical file (fetched by 'ls -l /proc/<PID>/exe')

rm -rf <physical_folder_or_file>

Check for any other folders or files that have copies.

find / -name <process_name>

Remove the malicious folder/files as well.

Check Cron Jobs

crontab -l

Remove bad cron jobs by editing the content

crontab -e

Reset 'root' password and reboot server

passwd root