Legit
darmanex weblog journey
!(c) 2008 - 2021
Powered by Blogger
December 26, 2020

Malware alert? kdevtmpfsi get cpu high usage

darmanex | 6:26 PM
Well, a couple days ago my friend contacted me that his server on Linode Cloud Hosting & Linux Servers was infected a malware. His server that had cpu high usage. After checking in-depth that the name of malware is kinsing, and was owned by postgres user.

Removing the malware
On this step we'll remove the malware manually. FYI, the characteristic of malware that he will create a kdevtmpfsi on /tmp and kinsing on /var/tmp directory, and the impact is it will consuming high CPU on the server. Every time I tried to removed the kdevtmpfsi and kinsing file on /tmp and /var/tmp but no luck, it will recreating by itself and running as postgres user.
As you can see above, the malware tried to download kinsing file from ip address 188.119.112.132.

Step to remove
As describe here, assuming you have been removed the malware on /tmp and /var/tmp directory, then create a kdevtmpfsi and kinsing file as follow:
At first, find and remove it:
# find / -iname kdevtmpfsi -exec rm -fv {} \;
# find / -iname kinsing -exec rm -fv {} \;    

Then create it:
# touch /tmp/kdevtmpfsi && touch /var/tmp/kinsing
# chmod 000 /tmp/kdevtmpfsi && chmod 000 /var/tmp/kinsing
# chattr +i /tmp/kdevtmpfsi && chattr +i /var/tmp/kinsing

Then purge remove of postgresql.
# apt-get remove --purge postgresql
After the step above, please reboot the server, and then install again the postgresql.

That's all!

References:
https://boxmatrix.info/wiki/Property:kdevtmpfs
https://en.wikipedia.org/wiki/Chattr#In_Linux_systems_.28chattr_and_lsattr.29
https://htop.dev/
https://linux.die.net/man/1/top

0 comments:

Post a Comment

Please leave a comment and do not give a spam! Comments that smells of spam will be deleted without prior notice