Unauthorized Cryptominer
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
An unauthorized cryptominer is a host that has been compromised and is running cryptocurrency mining software (e.g., XMRig for Monero) without the owner's consent, consuming CPU/GPU resources and generating outbound connections to mining pool servers. Cryptomining malware is often delivered via vulnerabilities in web applications, misconfigured cloud instances, or drive-by browser-based JavaScript miners (cryptojacking). While not immediately destructive, miners cause significant resource exhaustion, inflated cloud costs, and indicate a broader system compromise.
🔍Indicators
- Sustained near-100% CPU utilization on one or more cores with no correlated legitimate workload
- Persistent outbound connections to known mining pool domains/IPs (e.g.,
pool.minexmr.com,xmr.pool.minergate.com) on ports 3333, 4444, 5555, 14444 - Stratum protocol traffic: JSON messages with
method: "mining.subscribe"ormethod: "login"in cleartext or over TLS - Unexpected cron jobs, systemd services, or startup scripts referencing mining binaries
- New processes named with innocuous-sounding names (
kdevtmpfsi,kworker,sysupdate) but with high CPU - Outbound DNS queries for mining pool hostnames
- Memory usage anomalies from processes that should not use significant RAM
🛡Detection Methods
Process inspection
# Find high-CPU processes
ps aux --sort=-%cpu | head -20
# Check for known miner binary signatures
find / -name "xmrig" -o -name "minerd" -o -name "kdevtmpfsi" 2>/dev/null
# List recently modified executables
find /tmp /var/tmp /dev/shm -type f -executable -mtime -7
Network connection analysis
# Check outbound connections to mining pool ports
ss -tnp | grep -E ':3333|:4444|:5555|:14444|:45700'
# Capture Stratum protocol traffic
sudo tcpdump -i eth0 -A 'tcp port 3333 or tcp port 4444' | grep -i "mining\|stratum\|subscribe"
iptables — block known mining pool ports
iptables -A OUTPUT -p tcp --dport 3333 -j LOG --log-prefix "MINER-POOL: "
iptables -A OUTPUT -p tcp --dport 3333 -j DROP
iptables -A OUTPUT -p tcp --dport 4444 -j DROP
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 14444 -j DROP
Snort rule
alert tcp $HOME_NET any -> any 3333:5555 \
(msg:"Cryptocurrency Mining Pool Connection — Stratum Protocol"; \
flow:to_server,established; \
content:"mining.subscribe"; nocase; \
classtype:policy-violation; sid:9100023; rev:1;)
✅Mitigation
- Isolate the compromised host immediately from the network to prevent lateral movement.
- Terminate mining processes and remove persistence mechanisms (cron jobs, systemd units, startup scripts).
- Identify the initial access vector: check web server logs, SSH auth logs, and application vulnerability reports.
- Patch the exploited vulnerability before restoring the host to production.
- Block outbound connections to known mining pool ports (3333, 4444, 5555, 14444, 45700) at the firewall.
- Deploy DNS-based blocking using RPZ (Response Policy Zones) or DNS sinkholes for known mining pool domains.
- Enable CPU monitoring alerts (CloudWatch, Datadog, Prometheus) — sustained >80% CPU for >5 minutes should trigger an incident.
- Audit cloud IAM permissions: cryptominers often escalate to provision additional compute resources — revoke unused permissions.
- For browser-based cryptojacking: implement a strict Content Security Policy (CSP) blocking inline scripts and enforce Subresource Integrity (SRI) for third-party scripts.
📋Real-World Examples
In 2018, Tesla's AWS Kubernetes environment was compromised by cryptominers who exploited an unsecured Kubernetes admin console. The attackers used a non-default mining pool endpoint, throttled CPU to evade monitoring, and stored pool credentials in a Kubernetes secret — Tesla's security team discovered it through a third-party audit. In 2019, cryptomining malware called 'Graboid' spread as a worm through unsecured Docker daemon APIs exposed to the internet, infecting over 2,000 Docker hosts within days.