PASSEDserver / high_cpu

CPU Exhaustion — Crypto Mining Malware on Web Server

A web server is compromised via an unpatched vulnerability. Crypto mining malware is consuming 100% CPU across all cores, making the web application unresponsive for legitimate users.

Pattern

HIGH_CPU

Severity

CRITICAL

Confidence

95%

Remediation

Auto-Heal

Test Results

Metric	Expected	Actual
Pattern Recognition	HIGH_CPU	HIGH_CPU
Severity Assessment	CRITICAL	CRITICAL
Incident Correlation	Yes	8 linked
Cascade Escalation	N/A	No
Remediation	—	Auto-Heal — Corax resolves autonomously

Scenario Conditions

CentOS 8 web server. 16 cores. xmrig process consuming all CPU. Web app response time: 30 seconds (baseline: 200ms). Server compromised 2 hours ago via Log4Shell.

Injected Error Messages (1)

CPU exhaustion on Web-Server-01 — all 16 cores at 100%, load average 64.2 (high), unknown process 'xmrig' consuming 98% CPU, legitimate web requests timing out, processor queue depth critical

Neural Engine Root Cause Analysis

Web-Server-01 is experiencing CPU exhaustion due to a cryptocurrency mining malware ('xmrig') that has infiltrated the system and is consuming 98% of CPU resources across all 16 cores. This malicious process is starving legitimate web server processes of CPU cycles, causing all web requests to timeout and making the service completely unavailable. The presence of 5 correlated incidents suggests this may be part of a broader security compromise affecting multiple systems.

Remediation Plan

1. Immediately terminate the 'xmrig' process to restore CPU availability 2. Scan the system for additional malware and persistence mechanisms 3. Review system logs to identify the attack vector and timeline 4. Patch any vulnerabilities that may have been exploited 5. Reset any compromised credentials 6. Implement additional monitoring for similar processes 7. Consider temporary network isolation until full security assessment is complete

Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmncje79b00n6obqe214dy51f