Mining Trojan Emergency Response Guide
1. Preliminary prediction
Judging whether a mining Trojan has actually been encountered
- Computers implanted with mining Trojan horses will experience soaring CPU usage, system freezes, and some services cannot operate normally.
- Check the traffic analysis of Tianyan, whether to download things from other dangerous websites, and then execute some mining commands locally
- The mining trojan will establish a connection with the address of the mining pool to see if there is an external connection, and request to the remote ip
netstart -ano
to view all ports
Mining Trojan horse information mining
Check the creation time of the mining Trojan file, check the creation time of the task plan, check the address of the mining pool, and check the time of the first connection to the address of the mining pool through a security monitoring device
Judging the spread range of mining Trojans
You can use security monitoring equipment to check the mining range
Understand the network deployment environment
Network architecture, host data, system type, related security equipment (such as traffic equipment, log monitoring), etc.
2. Quarantine the infected server/host
After discovering the mining phenomenon, the current server/host should be isolated in time without affecting the business, such as disabling non-business-use ports and services, and configuring ACL whitelists. It is recommended that non-important business systems be offline and isolated before investigation