Updated on 2026-02-25 GMT+08:00

Troubleshooting Process

This section describes how to troubleshoot security issues in a Linux server.

Procedure

  1. Check for abnormal processes exist in the server.

    Query command: top

    Check whether abnormal processes exist based on the CPU usage and process names. For example, the CPU usage of the following suspicious process exceeds 100%:

  2. Check the file directory based on the PID of the abnormal process.

    Query command: lsof -p PID (for example, 25267)

  3. Locate abnormal files, which are marked with xmr or mine.

    1. View files: ll -art

    1. Query the Trojan path: pwd

      Detect the file that contains abnormal addresses: strings file_name (for example, config.json) |grep xmr

      You are advised to check the following directories: /etc (configuration files), /tmp (temporary files), and /bin (executable files).

      • In user commands, /lib refers to library files, /etc refers to configuration files, and /sbin refers to executable files.
      • In management commands, /lib refers to library files, /etc refers to configuration files, /usr/ refers to read-only files, and shared read-only and /usr/local refer to third-party software.
    1. Check whether the URL (xmr.flooder.org:80) is a mining pool.

  4. View the permissions of the server user.

    Query command: cat /etc/passwd|grep username (for example, bash)

    The nologin user does not have the login permission. You are advised to check the users who have the login permission.

  5. Check the abnormal login records from the server login logs.

    Query command: cat file_name (for example, secure) |grep Acc|grep username (for example, oracle)

    Review successful login logs for suspicious activities, specifically focusing on the time close to possible Trojan implantation.

    Based on the login time, check the login IP addresses and login frequency (including the number of successful or failed logins). If there are a large number of abnormal IP address logins, brute-force attacks may have taken place.

  6. If the problem persists, you can submit a service ticket.