SecureExec
HomeAboutBlogPricing
Sign InSign Up
← Back to Blog

Detecting Crypto Miners on Linux

March 6, 2026

Crypto mining malware is one of the most common outcomes of Linux server compromise. The attacker lands on a box, downloads a miner like xmrig, connects it to a public pool, and turns your CPU budget into someone else's revenue stream.

Unlike ransomware, miners usually do not break the host immediately. They stay quiet, consume resources, blend into long-lived workloads, and can run for weeks before anyone notices. By that point, you have already paid in compute cost, degraded performance, and lost response time.

What crypto miners do on Linux

A typical Linux miner infection follows a simple path:

  • the attacker gains shell access or exploits a vulnerable service;
  • a miner binary is dropped or downloaded from the internet;
  • the miner connects to a public mining pool using the Stratum protocol;
  • the process stays running in the background and continuously consumes CPU or GPU resources.

Common miner families include xmrig, cpuminer, ethminer, nbminer, teamredminer, and many renamed or repackaged variants.

Why crypto miners are easy to miss

  • They often use legitimate outbound connections rather than obvious C2 traffic.
  • They can run under generic process names or be wrapped in shell scripts.
  • Server performance degradation is frequently misdiagnosed as “load”, “backup”, or “database pressure”.
  • Signature-based AV is unreliable against renamed binaries and simple repacks.

To catch miners reliably, you need host telemetry that answers three questions at once: what process started, where did it connect, and what domain did it resolve.

How SecureExec detects crypto miners

SecureExec includes a built-in crypto_miner detection rule.

The Linux agent collects the relevant telemetry:

  • process creation events with executable name and full command line;
  • outbound network connections with destination IP and port;
  • DNS query events with the queried domain.

On the server, the crypto_miner built-in rule raises an alert when it sees any of these signals:

  • a known miner process name such as xmrig, cpuminer, ethminer, cgminer, nbminer, or teamredminer;
  • miner-specific command-line patterns such as stratum+tcp://, --donate-level, --pool-address, --coin xmr, or --algo kawpow;
  • outbound connections to mining-pool-specific ports such as 14433, 14444, or 45700;
  • DNS queries to known pool domains such as minexmr.com, moneroocean.stream, 2miners.com, supportxmr.com, nicehash.com, or ethermine.org.

The rule also excludes obvious local infrastructure traffic like loopback, RFC-1918 private ranges, and private IPv6 ranges so you do not get noise from internal services.

Why this approach works

Miner detection becomes much stronger when you combine multiple low-level signals:

  • a renamed miner may evade simple process-name matching, but its command line still reveals Stratum usage;
  • a generic process name may look harmless, but the DNS query to a mining pool is not;
  • a single network connection on its own may be ambiguous, but process + DNS + pool port together create a high-confidence alert.

This is behavioral detection, not a static signature lookup.

What you see in an alert

When the crypto_miner rule fires, SecureExec gives you the context needed to investigate quickly:

  • the process name and command line;
  • the destination IP address and port;
  • the DNS query that preceded the connection;
  • the parent process and process tree;
  • correlated host events in Elasticsearch for pivoting.

That lets you answer the important questions immediately: how the miner was launched, whether it was dropped by another payload, and what infrastructure it is talking to.

Why built-in detection matters

Most teams do not want to write and tune mining rules from scratch. You need something that works on day one, is opinionated enough to be useful, and avoids the obvious false positives that come from generic port-only matching.

SecureExec ships the crypto_miner rule built in, so you can start detecting mining activity as soon as the agent is deployed.

Try it on your fleet

If you want built-in crypto miner detection on Linux servers without writing custom rules, SecureExec already includes it out of the box.

Try SecureExec to detect crypto miners in real time with process, DNS, and network visibility on your Linux hosts.

SecureExec

Lightweight endpoint security platform. Real-time visibility into process, file, and network activity across your entire fleet.

Product
  • Pricing
Company
  • About
  • Blog
  • Contact Sales
  • Support
Account
  • Sign In
  • Sign Up
Legal
  • Privacy Policy
  • Terms of Service

© 2026 SecureExec. All rights reserved.

Built with Rust & Next.js