On this step we'll remove the malware manually. FYI, the characteristic of malware that he will create a kdevtmpfsi on /tmp and kinsing on /var/tmp directory, and the impact is it will consuming high CPU on the server. Every time I tried to removed the kdevtmpfsi and kinsing file on /tmp and /var/tmp but no luck, it will recreating by itself and running as postgres user. As you can see above, the malware tried to download kinsing file from ip address 188.119.112.132.
Step to remove
As describe here, assuming you have been removed the malware on /tmp and /var/tmp directory, then create a kdevtmpfsi and kinsing file as follow: At first, find and remove it:
# find / -iname kdevtmpfsi -exec rm -fv {} \;
# find / -iname kinsing -exec rm -fv {} \;
Then create it:
# touch /tmp/kdevtmpfsi && touch /var/tmp/kinsing
# chmod 000 /tmp/kdevtmpfsi && chmod 000 /var/tmp/kinsing
# chattr +i /tmp/kdevtmpfsi && chattr +i /var/tmp/kinsing
Then purge remove of postgresql.
# apt-get remove --purge postgresql
After the step above, please reboot the server, and then install again the postgresql.That's all!
References:
https://boxmatrix.info/wiki/Property:kdevtmpfs
https://en.wikipedia.org/wiki/Chattr#In_Linux_systems_.28chattr_and_lsattr.29
https://htop.dev/
https://linux.die.net/man/1/top
0 comments:
Post a Comment
Please leave a comment and do not give a spam! Comments that smells of spam will be deleted without prior notice