How to resolve when "kdevtmpfsi" the crypto-mining malware is running and taking all CPU load of your server (container).
One day your server (container) running with CPU load so high, more than 100% then you check the processes with "top" command and short by CPU load with shortcut keys "Shift + p", it looks like below:
So, I'm sorry your server is infected the crypto-mining malware that named "kdevtmpfsi", similar "kdevtmpfs" a system Linux process.
I will list some links about the malware, the cause, and it's propagating mechanism end of this post.
Now I go to the detail steps to resolve this issue in my server, I'm using Amazon Linux 2 AMI.
Step 1: As you can see in the image above, the process is running by the root user, so I need to check the root's cronjob.
As you can see, this cronjob will download script unk.sh from the hacker's server 195.3.146.118 and execute it in your server. So you need to remove the cronjob by the following command.
sudo crontab -u root -r
You should re-check to make sure the cronjob is already removed.
Step 2: Find path to 2 scripts "kdevtmpfsi" and "kinsing" with commands:
sudo find / -name kdevtmpfsi
sudo find / -name kinsing
You will get the results like the paths: "/tmp/kdevtmpfsi" and "/var/tmp/kinsing", so please remove all access permissions to the files.
sudo chmod 000 /tmp/kdevtmpfsi
sudo chmod 000 /var/tmp/kinsing
Note: remove access permissions to the files, not remove the files because they can self-propagate again via "kinsing" daemon.
Step 3: Kill process "kdevtmpfsi" first, you can check the process id from the "top" command above.
sudo kill -9 14867
Step 4: Now check with "top" command you can see process "kinsing" is running, its trying to re-initialize "kdevtmpfsi" process, check it's process id or with command "sudo netstat -lnp | grep kinsing" then kill it.
sudo kill -9 32222
Note: if you not yet kill process "kdevtmpfsi" you can not see process "kinsing".
Step 5: Come back with "top" command and make sure the both processes are not running anymore. If they still running, so kill again with order: "kdevtmpfsi" first, then "kinsing" second, and wait for moments about 5 - 10 minutes to make sure they have not come back. Ok, now you can delete for both scripts "/tmp/kdevtmpfsi" and "/var/tmp/kinsing".
sudo rm -rf /tmp/kdevtmpfsi
sudo rm -rf /var/tmp/kinsing
Ok, with these steps I already resolve the issue with "kdevtmpfsi" the cryptomining malware running in my server, Amazon Linux 2 AMI. Hope that these steps helpful for you.
Here are links about malware "kdevtmpfsi": the cause, and it's propagating mechanism:
Thank you.
ReplyDeleteHello Koacervate, thank you so much for to have writting this article and your BIG help. It save my day and took me away a big headache. Thank you so much!
ReplyDelete