Hi @steve_corey,
You can start by running lsof and netstat -plntu to see what processes have listeners running and on also what files are held open by them.
Also, I’d advise checking crontabs for all available users. Typically, such miners add cron jobs to do their work and thus it will be your machine that’s establishing a connection to some remote server managed by the attacker and not the other way around.
In addition, of course run ps faxu and review all the running procs looking for unwanted ones and I’d also recommend reviewing the list of installed packages [I believe you’re running over RHEL/CentOS so in your case, the command to run to get a list of installed packages would be ```rpm -qa```].
Also review /var/log/secure, /var/log/audit/audit.log and /var/log/cron
If I’m wrong and you’re running on Debian/Ubuntu, you should check /var/log/syslog and /var/log/auth.log.
And, of course, upgrade all your packages to the latest version. That’s an important practice as new exploits are constantly discovered and the distros then provide updates to fix them.