It is rightly said that a miner must eat a processor in order to be useful. All cores on the server are loaded almost at 100%.
The top command will help you
A netstat -nap | grep -i 'established' will show all established TCP sessions
and tcpdump will help catch outgoing traffic.
Just recently I struggled with a miner on a leaky server.
They upload via php to the /tmp folder,
then they look to see if there is a miner in the ps afx memory and run it via nohup.
Since other people are involved in leaky sites, I had to prohibit php from running processes.
It helped with the miner. Then the fight against spam began, and using the server to hack and attack other sites. I had to cut off Apache's ability to initiate outgoing connections and drop all UDP traffic. This is the only possibility, since developers cannot patch sites for half a year. Sites are still crappy, but miners don't take root, spam doesn't get sent, and attacks don't happen. The host does not complain. The sites are working.

The miner loads the CPU, the processes that load the percent have fallen, use strace if necessary

Make sha1sum of all files on the patient.
Raise the second one with the same set of packages.
Check out what's different.
Define from .deb it or otherwise.
If otherwise, then look with "handles" - monitor ports and calls to ip dns
ps: etckeeper is not there either?

I discovered one of the last such miners simply by stopping all the services known to me and looking at the list of running processes. once a service shutdown caused a "drop" in traffic and so localized the location of another miner