- Python 100%
Rav-n-Vic
9a558f2365
- --install-network now fetches expected hash from /version endpoint and rejects downloads on SHA mismatch (temp file, never writes unverified) - /version endpoint now includes plugin hashes in 'plugins' field - ?adventure=true and ?mode=adventure URL params for direct Adventure Mode - Version bump to 2.1.1 |
||
|---|---|---|
| .gitignore | ||
| crypto_annihilator.py | ||
| LICENSE | ||
| README.md | ||
| scannersend_network.py | ||
| scannersend_update.py | ||
| stratum_killer.py | ||
| test_crypto_annihilator.py | ||
CryptoAnnihilator
Behavioral crypto mining detector and killer for Linux servers.
Zero pip dependencies. Single file. MIT licensed. Works against known, unknown, custom-compiled, and obfuscated miners.
sudo python3 crypto_annihilator.py --kill --daemon
Why this works when ClamAV doesn't
ClamAV recognizes virus DNA. Attackers just change the DNA.
CryptoAnnihilator recognizes sick behavior. You can't mine without it.
Detection Layers
| Layer | Method | What it catches |
|---|---|---|
| 1 | Protocol | Stratum TCP pattern matching (mining.subscribe, mining.submit, etc.) |
| 2 | Behavior | Sustained high CPU + active outbound connections |
| 3 | Knowledge | 47 known mining pool domains — DNS block + iptables rules |
| 4 | Fingerprint | Connection behavioral fingerprinting — catches throttled/evasive miners |
| 5 | Artifacts | Wallet address extraction from process cmdline, environ, and config files |
Quick Start
# Scan once, report only (dry run):
sudo python3 crypto_annihilator.py
# Scan and kill detected miners:
sudo python3 crypto_annihilator.py --kill
# Run as persistent daemon:
sudo python3 crypto_annihilator.py --kill --daemon
# Install as systemd service (survives restarts):
sudo python3 crypto_annihilator.py --install
# Full hardening — install + 5-layer persistence + firewall + DNS block:
sudo python3 crypto_annihilator.py --install --fortify --install-firewall --install-dns-block
Optional Plugins
Both plugins are opt-in and independent of the base tool.
ScannerSend Network Plugin (scannersend_network.py)
Reports detected miner wallet addresses to the ScannerSend Network.
- Reports: wallet address, pool host, process name, detection layer
- Never reports: your IP, hostname, system info, usernames, file paths
- Tier 2 (opt-in): contributor tracking via anonymous hash
sudo python3 crypto_annihilator.py --install-network
Auto-Update Plugin (scannersend_update.py)
Checks scannersend.org for new versions and applies updates. Verifies SHA256 before replacing anything.
sudo python3 crypto_annihilator.py --install-updater
Design Philosophy
Consent first. Scan-only by default. Nothing is killed without --kill. Nothing persists without --install. Every destructive action requires an explicit flag.
Leave no trace. Zero telemetry in the base tool. --uninstall removes everything cleanly.
Behavior over signatures. A miner renamed to kworker still pins CPU and connects to pools. That is what we watch.
The Origin
We built this after getting hit. Twice. The second time, we found the miner had installed itself as a systemd service with Restart=always — we killed the process but it came back automatically. We missed the persistence layer.
So we built a tool that fights the same way. Full story: scannersend.org/about
Resources
- Download: scannersend.org/download/crypto_annihilator.py
- SHA256 + version: scannersend.org/version
- Pool blocklist: scannersend.org/pools
- Dirty wallet registry: scannersend.org/wallets
- Docs: scannersend.org/docs
Requirements
- Linux (tested Ubuntu 20.04+, Debian 11+)
- Python 3.6+
- Root (
sudo) for kill, install, and firewall operations - Zero pip installs — stdlib only
License
MIT — scannersend.org/source
By Rav-n-Vic — scannersend.org