Alain and Eric,  Thanks for those answers, that definitely seems to be the issue.

 

I ran the sigtool command you provided and it displayed the following information:

 

$ sigtool --find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool --decode-sigs

VIRUS NAME: Txt.Coinminer.Generic-7132166-0

TDB: Engine:81-255,Target:7

LOGICAL EXPRESSION: 0&1&2&3&4&5

* SUBSIG ID 0

+-> OFFSET: ANY

+-> SIGMOD: NOCASE

+-> DECODED SUBSIGNATURE:

miner

* SUBSIG ID 1

+-> OFFSET: ANY

+-> SIGMOD: NOCASE

+-> DECODED SUBSIGNATURE:

coinhive

* SUBSIG ID 2

+-> OFFSET: ANY

+-> SIGMOD: NOCASE

+-> DECODED SUBSIGNATURE:

keepalive

* SUBSIG ID 3

+-> OFFSET: ANY

+-> SIGMOD: NOCASE

+-> DECODED SUBSIGNATURE:

params

* SUBSIG ID 4

+-> OFFSET: ANY

+-> SIGMOD: NOCASE

+-> DECODED SUBSIGNATURE:

algo

* SUBSIG ID 5

+-> OFFSET: ANY

+-> SIGMOD: NOCASE

+-> DECODED SUBSIGNATURE:

pass

$

 

I then grepped for those 6 strings in my text file and sure enough they are all present in that one single file:

 

$ grep -i miner /var/log/sid_changes.log  | wc

     75     484    5299

$ grep -i coinhive /var/log/sid_changes.log | wc

     12      82     824

$ grep -i keepalive /var/log/sid_changes.log | wc

     10      60     658

$ grep -i params /var/log/sid_changes.log | wc

     10      86     796

$ grep -i algo /var/log/sid_changes.log | wc

     13     152    1302

$ grep -i pass /var/log/sid_changes.log | wc

   1739   17000  151213

$

 

…Brian