I got cryptomined 5 times in 10 days. Here's my story ๐งต
It started with my CPU suddenly hitting 100%.
I had no idea what was happening. I asked Claude "why is my CPU maxing out?"
That's literally the first time I heard the word "cryptomining."
Ok, easy fix. Just switch to my backup server, right?
Got mined again.
"Ok FINE. I'll just switch hosting providers."
Migrated ALL my products. Took forever. Had to โ I needed to keep everything online.
Got mined again.
This was my life for 10 days:
- Get mined
- Migrate all products to keep them live
- Rebuild the server from scratch
- Feel relieved
- Go to step 1 I did this 5 times. I am not a fast learner apparently. ๐ Finally I started to think maybe the problem isn't the servers. I scanned my local machine. Every single .exe file: infected. ๐ซ The culprits? A cracked audio plugin. And one time I couldn't install Windows myself so I let a stranger remote into my PC. Classic. Fresh Windows install. Fresh servers. Hardened everything. Ran clean for 2 whole days. I was so proud of myself. Then I deployed a new project and installed one package. You already know what happened. The lowest point: I woke up at 3am in a panic, jumped out of bed, sat down at my computer, and started frantically pressing keys. The screen wouldn't turn on. Because I was still asleep. It was a dream. I have been dreaming about getting cryptomined for over a week straight. "My therapist says this is normal. I don't have a therapist." Anyway. Here's my "never again" checklist. 25 items. Each one is a scar. ๐ Server hardening: โ Dedicated user, root login disabled โ Ed25519 key auth, password login off โ SSH on a non-standard port โ UFW firewall, only necessary ports open โ IP whitelist, only my fixed IP can connect โ Fail2ban against brute force โ Automatic security updates ๐ฆ Deploy pipeline: โ npm install --ignore-scripts โ Review package.json for suspicious packages โ npm audit, fix all vulnerabilities โ Check for xmrig/scanner_linux and other malware โ npx tsc --noEmit โ npm run build โ pm2 restart ๐๏ธ Database: โ MySQL bound to 127.0.0.1 only โ Separate DB user per product โ Passwords hashed with bcrypt ๐ก๏ธ App: โ JWT auth (jose) โ Full HTTPS + wildcard cert โ Cloudflare proxy hiding real IP โ Docker container isolation โ PM2 process management And yes, I back up to 2 external drives now. Immediately after every deploy. Don't @ me --- Most security guides are written by people who read about attacks. Mine was written by someone who lived through 5 of them in 10 days. --- I'm a self-taught solo developer from Inner Mongolia. Two months ago I didn't know what cryptomining was. Now I've survived it 5 times and I'm still shipping. Some days that's enough. ๐
Top comments (0)